agenttesla | 1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77

General

Target

1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe
Size

979KB
MD5

fca53d1616ba9ce9370929f3b386e8ba
SHA1

2f022acc5807bf02007d8e19ffc6d7e06ef0787e
SHA256

1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77
SHA512

e8c2739708e42d4f786c82a59469eb9ac71a2c4dadc813fb50985d96a2f5f04532fad57e4ca6b536865ae9594e98745059ec146dd6b92cd295329ffe4721548c
SSDEEP

12288:1MKE2iNjuOx2cumQCRF43KYfDK/lKq7qsnCjc1f2FQiss/S+PmsBYiW7B5pN:uH1VuOx2cJlv5YGNKM5bNmJs6Sq

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
graceofgod@amenn

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/1220-143-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 1220	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1240	powershell.exe
1220	RegSvcs.exe
1220	RegSvcs.exe
1240	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1220	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1220	RegSvcs.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1240	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	92
PID 2472 wrote to memory of 1240	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	92
PID 2472 wrote to memory of 1240	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	92
PID 2472 wrote to memory of 2300	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	94
PID 2472 wrote to memory of 2300	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	94
PID 2472 wrote to memory of 2300	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	94
PID 2472 wrote to memory of 1220	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	96
PID 2472 wrote to memory of 1220	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	96
PID 2472 wrote to memory of 1220	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	96
PID 2472 wrote to memory of 1220	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	96
PID 2472 wrote to memory of 1220	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	96
PID 2472 wrote to memory of 1220	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	96
PID 2472 wrote to memory of 1220	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	96
PID 2472 wrote to memory of 1220	2472	1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe	96

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe
"C:\Users\Admin\AppData\Local\Temp\1d20b550fc427bfe4f3288cf3c67c81f9f32e7f6aba8a373bc730fe8fa234b77.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oafyVApCH.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oafyVApCH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF32.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF32.tmp

Filesize
1KB

MD5
b957d4fa62abc5a187ddc613d1150faf

SHA1
653220c3d9a5e7a292f8fad0687cca9b9c3754a8

SHA256
c24f40da68d2d58c0ab31c372cde8dc147d0321b34aac31f2ad58cf344fd0aea

SHA512
bc4bd27af371ef054e2eefecbed7a7a94b23c4c0dd29aa8be2864ef2695325d6f96dfaa013060ee3e71d0541d74674e3e17de101f9c7137c7de627a2c1bd5ea9

Download Submit
memory/1220-158-0x0000000006430000-0x0000000006480000-memory.dmp

Filesize
320KB

Download
memory/1220-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1240-150-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/1240-152-0x00000000078B0000-0x00000000078CA000-memory.dmp

Filesize
104KB

Download
memory/1240-157-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

Filesize
32KB

Download
memory/1240-139-0x0000000004FE0000-0x0000000005016000-memory.dmp

Filesize
216KB

Download
memory/1240-156-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

Filesize
104KB

Download
memory/1240-141-0x00000000056C0000-0x0000000005CE8000-memory.dmp

Filesize
6.2MB

Download
memory/1240-155-0x0000000007AE0000-0x0000000007AEE000-memory.dmp

Filesize
56KB

Download
memory/1240-154-0x0000000007B30000-0x0000000007BC6000-memory.dmp

Filesize
600KB

Download
memory/1240-144-0x0000000005660000-0x0000000005682000-memory.dmp

Filesize
136KB

Download
memory/1240-145-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download
memory/1240-146-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/1240-147-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/1240-148-0x0000000006B80000-0x0000000006BB2000-memory.dmp

Filesize
200KB

Download
memory/1240-149-0x0000000071570000-0x00000000715BC000-memory.dmp

Filesize
304KB

Download
memory/1240-153-0x0000000007920000-0x000000000792A000-memory.dmp

Filesize
40KB

Download
memory/1240-151-0x0000000007EF0000-0x000000000856A000-memory.dmp

Filesize
6.5MB

Download
memory/2472-132-0x0000000000C60000-0x0000000000D5C000-memory.dmp

Filesize
1008KB

Download
memory/2472-134-0x0000000007BC0000-0x0000000007C52000-memory.dmp

Filesize
584KB

Download
memory/2472-135-0x0000000007D50000-0x0000000007D5A000-memory.dmp

Filesize
40KB

Download
memory/2472-136-0x000000000B7E0000-0x000000000B87C000-memory.dmp

Filesize
624KB

Download
memory/2472-133-0x00000000080B0000-0x0000000008654000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads