agenttesla | d3c2f6c0cf022d926366f343c1048acf8fee9575f42d700cce3f0ffc9605d33d

General

Target

Ziraat Bankasi Swift Mesaji.exe
Size

414KB
MD5

e380c8d132b43974acf2e2bc3e5fde65
SHA1

db41b1691c5fa507e9cf9a120b0766744ad42832
SHA256

d3c2f6c0cf022d926366f343c1048acf8fee9575f42d700cce3f0ffc9605d33d
SHA512

eadccca823f3c7a28d7bbb4b76b062b6343765380572a59814ed0013a89f15b7d64899e632fc2a41a85ddbca91fb614e158e3cba7008e184122d41b7db1e55d4
SSDEEP

6144:UkwJK/tPpyRo/xHJ/aOwcluMrB3EsFXaBNDVKdiD1x:p/tPgAE1clbvXmOdAr

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
1592	iejhtizfs.exe
5116	iejhtizfs.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iejhtizfs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iejhtizfs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iejhtizfs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bwltfh = "C:\\Users\\Admin\\AppData\\Roaming\\tkonvp\\phiirqoombri.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\iejhtizfs.exe\" C:\\Users\\Admin\\AppData\\Lo"	iejhtizfs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GsHLJkZ = "C:\\Users\\Admin\\AppData\\Roaming\\GsHLJkZ\\GsHLJkZ.exe"	iejhtizfs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1592 set thread context of 5116	1592	iejhtizfs.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5116	iejhtizfs.exe
5116	iejhtizfs.exe
5116	iejhtizfs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1592	iejhtizfs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5116	iejhtizfs.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 1592	4352	Ziraat Bankasi Swift Mesaji.exe	83
PID 4352 wrote to memory of 1592	4352	Ziraat Bankasi Swift Mesaji.exe	83
PID 4352 wrote to memory of 1592	4352	Ziraat Bankasi Swift Mesaji.exe	83
PID 1592 wrote to memory of 5116	1592	iejhtizfs.exe	85
PID 1592 wrote to memory of 5116	1592	iejhtizfs.exe	85
PID 1592 wrote to memory of 5116	1592	iejhtizfs.exe	85
PID 1592 wrote to memory of 5116	1592	iejhtizfs.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iejhtizfs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	iejhtizfs.exe

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Users\Admin\AppData\Local\Temp\iejhtizfs.exe
  "C:\Users\Admin\AppData\Local\Temp\iejhtizfs.exe" C:\Users\Admin\AppData\Local\Temp\wqkbdbkh.m
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\iejhtizfs.exe
    "C:\Users\Admin\AppData\Local\Temp\iejhtizfs.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iejhtizfs.exe

Filesize
49KB

MD5
97fde168830c64f90bfa7527feee8148

SHA1
7c7c54124ee0a5dfb2881c4da57a8d06486a5418

SHA256
ec631005b5ddcd8cd53aa744dd431c4f880c50c0513fa1c4a3e8b7e7364d9a5f

SHA512
8c3e3399e4370aa329c1f988951ac209b25c2f456b117e191d7fbfc485f96799abb5dd57ae3fb79843e96a511659971a3350600c45033f6d8dca47d8113f0127

Download Submit
C:\Users\Admin\AppData\Local\Temp\iejhtizfs.exe

Filesize
49KB

MD5
97fde168830c64f90bfa7527feee8148

SHA1
7c7c54124ee0a5dfb2881c4da57a8d06486a5418

SHA256
ec631005b5ddcd8cd53aa744dd431c4f880c50c0513fa1c4a3e8b7e7364d9a5f

SHA512
8c3e3399e4370aa329c1f988951ac209b25c2f456b117e191d7fbfc485f96799abb5dd57ae3fb79843e96a511659971a3350600c45033f6d8dca47d8113f0127

Download Submit
C:\Users\Admin\AppData\Local\Temp\iejhtizfs.exe

Filesize
49KB

MD5
97fde168830c64f90bfa7527feee8148

SHA1
7c7c54124ee0a5dfb2881c4da57a8d06486a5418

SHA256
ec631005b5ddcd8cd53aa744dd431c4f880c50c0513fa1c4a3e8b7e7364d9a5f

SHA512
8c3e3399e4370aa329c1f988951ac209b25c2f456b117e191d7fbfc485f96799abb5dd57ae3fb79843e96a511659971a3350600c45033f6d8dca47d8113f0127

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzlqg.dhv

Filesize
239KB

MD5
e8b6fb50f0b228a3fef85ae2867c0c82

SHA1
f420549e2d8ed7f7ef43ffab78fcdcbdccbf3553

SHA256
3a5d977322e908d96153b965b1c86b7ecee8bc984e6fa0be9ff34189f7dd7758

SHA512
c997093839dcdb346b4ef12d02d1edc02090ae81eee1c84039fbec261a375627bfbc14334082c8ccb0dcb25ae173b422b08a09cf35fa9f3627cd7f4c100f7b8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqkbdbkh.m

Filesize
7KB

MD5
cf0b3b91b4837b5ec91d75fa61ae294a

SHA1
11698324b32ef7b670ee598db75b37f1d3d39379

SHA256
3fa78ba67942b2a706437a3ec1e590cdb54d09376460553829995fc493770db7

SHA512
2f91bce6623bfc9185886b256a67fd8b72e1bc00733e96c5d61940970bf987b64abb3abbbd2634ca75de053f9443a036246a4d488bfea09591ddf978b7c09ca2

Download Submit
memory/5116-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5116-140-0x00000000049D0000-0x0000000004F74000-memory.dmp

Filesize
5.6MB

Download
memory/5116-141-0x0000000004F80000-0x000000000501C000-memory.dmp

Filesize
624KB

Download
memory/5116-142-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/5116-143-0x0000000005B80000-0x0000000005C12000-memory.dmp

Filesize
584KB

Download
memory/5116-144-0x0000000005EC0000-0x0000000005ECA000-memory.dmp

Filesize
40KB

Download
memory/5116-145-0x00000000060E0000-0x0000000006130000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing