agenttesla | 8ccbf1ed960f1c8d93be2abbb9b7228a156c64b82ad258458e596226aaf6c95c

General

Target

SH-765433_pdf.exe
Size

347KB
MD5

971b0cc850794850607ece60e62da848
SHA1

e717ebba195c641533dc4cd704fb59b001804a97
SHA256

8ccbf1ed960f1c8d93be2abbb9b7228a156c64b82ad258458e596226aaf6c95c
SHA512

960faa4b0b90afe5c6b44ebeb2a83c6702c643ef4ebfc5802bc344d96bd456d314a63fa3a4aa786b4e3dc04523c0a7a2dc6636d05e6f986d1d10e0964a359386
SSDEEP

6144:9kwI5mH2y25AOzOGP4d4ndG/UXkR6Z3+6xeZPgw9ceD2bSDs:U5N3zOGQh/UXkRi+sAFceEss

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 3 IoCs

Processes:

jmpssjbye.exejmpssjbye.exejmpssjbye.exe

pid process

4316 jmpssjbye.exe
2468 jmpssjbye.exe
1496 jmpssjbye.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4316	jmpssjbye.exe
2468	jmpssjbye.exe
1496	jmpssjbye.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

jmpssjbye.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jmpssjbye.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jmpssjbye.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jmpssjbye.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jmpssjbye.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "C:\\Users\\Admin\\AppData\\Roaming\\Skype\\Skype.exe"	jmpssjbye.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

91 api.ipify.org
92 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

jmpssjbye.exe

description pid process target process

PID 4316 set thread context of 1496 4316 jmpssjbye.exe jmpssjbye.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

jmpssjbye.exe

pid process

1496 jmpssjbye.exe
1496 jmpssjbye.exe
1496 jmpssjbye.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

jmpssjbye.exe

pid process

4316 jmpssjbye.exe
4316 jmpssjbye.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

jmpssjbye.exe

description pid process

Token: SeDebugPrivilege 1496 jmpssjbye.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jmpssjbye.exe

pid process

1496 jmpssjbye.exe

flow	ioc
91	api.ipify.org
92	api.ipify.org

description	pid	process	target process
PID 4316 set thread context of 1496	4316	jmpssjbye.exe	jmpssjbye.exe

pid	process
1496	jmpssjbye.exe
1496	jmpssjbye.exe
1496	jmpssjbye.exe

pid	process
4316	jmpssjbye.exe
4316	jmpssjbye.exe

description	pid	process
Token: SeDebugPrivilege	1496	jmpssjbye.exe

pid	process
1496	jmpssjbye.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

SH-765433_pdf.exejmpssjbye.exe

description	pid	process	target process
PID 4552 wrote to memory of 4316	4552	SH-765433_pdf.exe	jmpssjbye.exe
PID 4552 wrote to memory of 4316	4552	SH-765433_pdf.exe	jmpssjbye.exe
PID 4552 wrote to memory of 4316	4552	SH-765433_pdf.exe	jmpssjbye.exe
PID 4316 wrote to memory of 2468	4316	jmpssjbye.exe	jmpssjbye.exe
PID 4316 wrote to memory of 2468	4316	jmpssjbye.exe	jmpssjbye.exe
PID 4316 wrote to memory of 2468	4316	jmpssjbye.exe	jmpssjbye.exe
PID 4316 wrote to memory of 1496	4316	jmpssjbye.exe	jmpssjbye.exe
PID 4316 wrote to memory of 1496	4316	jmpssjbye.exe	jmpssjbye.exe
PID 4316 wrote to memory of 1496	4316	jmpssjbye.exe	jmpssjbye.exe
PID 4316 wrote to memory of 1496	4316	jmpssjbye.exe	jmpssjbye.exe

outlook_office_path 1 IoCs

Processes:

jmpssjbye.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jmpssjbye.exe

outlook_win_path 1 IoCs

Processes:

jmpssjbye.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jmpssjbye.exe

C:\Users\Admin\AppData\Local\Temp\SH-765433_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SH-765433_pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\AppData\Local\Temp\jmpssjbye.exe
  "C:\Users\Admin\AppData\Local\Temp\jmpssjbye.exe" C:\Users\Admin\AppData\Local\Temp\ehwcr.fk
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4316
- - C:\Users\Admin\AppData\Local\Temp\jmpssjbye.exe
    "C:\Users\Admin\AppData\Local\Temp\jmpssjbye.exe"
    3⤵
    - Executes dropped EXE
    PID:2468
- - C:\Users\Admin\AppData\Local\Temp\jmpssjbye.exe
    "C:\Users\Admin\AppData\Local\Temp\jmpssjbye.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ehwcr.fk

Filesize
5KB

MD5
68cd911df4d68d584ca4282788a95530

SHA1
fc91c5c57dbb5abe9c4a18e482ec74e962090c53

SHA256
75f41703a00ae3744d1dc21df418ef5f79ac14dd3d46d5ce245d05b9645aa1ff

SHA512
bb583fb4b9336ca8dc1cc4b73e71638d2ae5b6e088ff183b171c4bcc8ae90036ab60958e87fd61c5f8dbe71862f8c52b3eb35086b6a21b4be9f024ab2dea6bf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifoxwb.yad

Filesize
241KB

MD5
33c122f63413881e4335231f56fa056e

SHA1
af6700cd2a6a26cf13f837d89d95de826dc5c67d

SHA256
b4865e6a67d14d4701185930eb002a08ac193f21f45ffd6980a15b9e4bfc98dd

SHA512
1477d017bb498c7830d1971eac2a44c370c42e470e9079e96c9c74939b72faddca4cf05a83460a76d42b9bf67afbef62a76b0098271b0df8c1a5f6576a14a7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmpssjbye.exe

Filesize
287KB

MD5
8acbb590c8f9e3359d423579ad62e46c

SHA1
151c4b9f98212953a1602a93eee4c8fea69ee757

SHA256
9cb977a24715b4131f88116c28e1bd2a4e890ee211ff67abd1e252b890aa0d93

SHA512
78bef162ee89bce5467f87ea7a3f728c364d35eb0a191d744e40c58a122eecd26a5d5cecd68f5f3660ada0a549a506bd9f8bc95c1d81ece6b679395f67e92cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmpssjbye.exe

Filesize
287KB

MD5
8acbb590c8f9e3359d423579ad62e46c

SHA1
151c4b9f98212953a1602a93eee4c8fea69ee757

SHA256
9cb977a24715b4131f88116c28e1bd2a4e890ee211ff67abd1e252b890aa0d93

SHA512
78bef162ee89bce5467f87ea7a3f728c364d35eb0a191d744e40c58a122eecd26a5d5cecd68f5f3660ada0a549a506bd9f8bc95c1d81ece6b679395f67e92cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmpssjbye.exe

Filesize
287KB

MD5
8acbb590c8f9e3359d423579ad62e46c

SHA1
151c4b9f98212953a1602a93eee4c8fea69ee757

SHA256
9cb977a24715b4131f88116c28e1bd2a4e890ee211ff67abd1e252b890aa0d93

SHA512
78bef162ee89bce5467f87ea7a3f728c364d35eb0a191d744e40c58a122eecd26a5d5cecd68f5f3660ada0a549a506bd9f8bc95c1d81ece6b679395f67e92cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmpssjbye.exe

Filesize
287KB

MD5
8acbb590c8f9e3359d423579ad62e46c

SHA1
151c4b9f98212953a1602a93eee4c8fea69ee757

SHA256
9cb977a24715b4131f88116c28e1bd2a4e890ee211ff67abd1e252b890aa0d93

SHA512
78bef162ee89bce5467f87ea7a3f728c364d35eb0a191d744e40c58a122eecd26a5d5cecd68f5f3660ada0a549a506bd9f8bc95c1d81ece6b679395f67e92cf8

Download Submit
memory/1496-139-0x0000000000000000-mapping.dmp

Download
memory/1496-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1496-142-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/1496-143-0x00000000056A0000-0x000000000573C000-memory.dmp

Filesize
624KB

Download
memory/1496-144-0x00000000065E0000-0x0000000006646000-memory.dmp

Filesize
408KB

Download
memory/1496-145-0x0000000006E30000-0x0000000006EC2000-memory.dmp

Filesize
584KB

Download
memory/1496-146-0x0000000006E20000-0x0000000006E2A000-memory.dmp

Filesize
40KB

Download
memory/1496-147-0x0000000007200000-0x0000000007250000-memory.dmp

Filesize
320KB

Download
memory/2468-137-0x0000000000000000-mapping.dmp

Download
memory/4316-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads