agenttesla | 4dfcba72b64ae285fee5ba43764d81e4c436ce8df68730405c197b5ac69d3698

General

Target

Fatura_SUN202200000166.exe
Size

460KB
MD5

25b24cc692dbff9a944e08722cf67574
SHA1

dedce1680f802b0ddc708ab74eba5cd5f87e658f
SHA256

4dfcba72b64ae285fee5ba43764d81e4c436ce8df68730405c197b5ac69d3698
SHA512

64bc777c16e887e85cb4c8b263fa33589120d7ce77cb94e9c3ed1ad1242954ce3e4c04b544c28335f84ebe18f100d43ed99d59096415e315df303bb3ded255e3
SSDEEP

12288:iY5/tFGdaxnb/4zjXvj5uIG3GpAu8EY9I:iY5/rW6nb/4f/Fm2pVA9I

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
2228	azwiudrxkn.exe
2840	azwiudrxkn.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	azwiudrxkn.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	azwiudrxkn.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	azwiudrxkn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lxixchy = "C:\\Users\\Admin\\AppData\\Roaming\\wjllukpsewxf\\hwtjp.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\azwiudrxkn.exe\" C:\\Users\\Admin\\AppData\\Lo"	azwiudrxkn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GsHLJkZ = "C:\\Users\\Admin\\AppData\\Roaming\\GsHLJkZ\\GsHLJkZ.exe"	azwiudrxkn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2228 set thread context of 2840	2228	azwiudrxkn.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2840	azwiudrxkn.exe
2840	azwiudrxkn.exe
2840	azwiudrxkn.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2228	azwiudrxkn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	azwiudrxkn.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 2228	3724	Fatura_SUN202200000166.exe	80
PID 3724 wrote to memory of 2228	3724	Fatura_SUN202200000166.exe	80
PID 3724 wrote to memory of 2228	3724	Fatura_SUN202200000166.exe	80
PID 2228 wrote to memory of 2840	2228	azwiudrxkn.exe	81
PID 2228 wrote to memory of 2840	2228	azwiudrxkn.exe	81
PID 2228 wrote to memory of 2840	2228	azwiudrxkn.exe	81
PID 2228 wrote to memory of 2840	2228	azwiudrxkn.exe	81

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	azwiudrxkn.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	azwiudrxkn.exe

C:\Users\Admin\AppData\Local\Temp\Fatura_SUN202200000166.exe
"C:\Users\Admin\AppData\Local\Temp\Fatura_SUN202200000166.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Users\Admin\AppData\Local\Temp\azwiudrxkn.exe
  "C:\Users\Admin\AppData\Local\Temp\azwiudrxkn.exe" C:\Users\Admin\AppData\Local\Temp\mwynqzv.h
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\azwiudrxkn.exe
    "C:\Users\Admin\AppData\Local\Temp\azwiudrxkn.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\azwiudrxkn.exe

Filesize
87KB

MD5
96970abeeedc0341ba36c8c3654d5a9b

SHA1
63f72352e5caade0b33822e8a1c4fbfce34223c3

SHA256
74c63cc8b30d7fab467f2ed820605e5d357ef1ee7c978eb2ee32bab91b650229

SHA512
03f451597158a5a774c63c871cc557cfe49f760b332de12c31c57ae2ccf32139f7a445bc661a68ab0b7530236993b414ba06e3f73d2fac0eba3acab8799708ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\azwiudrxkn.exe

Filesize
87KB

MD5
96970abeeedc0341ba36c8c3654d5a9b

SHA1
63f72352e5caade0b33822e8a1c4fbfce34223c3

SHA256
74c63cc8b30d7fab467f2ed820605e5d357ef1ee7c978eb2ee32bab91b650229

SHA512
03f451597158a5a774c63c871cc557cfe49f760b332de12c31c57ae2ccf32139f7a445bc661a68ab0b7530236993b414ba06e3f73d2fac0eba3acab8799708ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\azwiudrxkn.exe

Filesize
87KB

MD5
96970abeeedc0341ba36c8c3654d5a9b

SHA1
63f72352e5caade0b33822e8a1c4fbfce34223c3

SHA256
74c63cc8b30d7fab467f2ed820605e5d357ef1ee7c978eb2ee32bab91b650229

SHA512
03f451597158a5a774c63c871cc557cfe49f760b332de12c31c57ae2ccf32139f7a445bc661a68ab0b7530236993b414ba06e3f73d2fac0eba3acab8799708ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwynqzv.h

Filesize
7KB

MD5
586b18ca8b36dc077b6e5ed53735b109

SHA1
200dceeaea799ac03d9bee96c6710f18b304f905

SHA256
aeb74eaf6b0fe0c95278e7a51d84fb85a3cb976e7a379eabc984396ab1aa9ccf

SHA512
0ae501b48cb41a73c271d0b22879eebf2839a27b7744e77de0d8d33262bd3835477475e9f9f9b7d5e12bdcf7a73eddbfcc95933c1d6fd18fe967d5ec716a4700

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuxpvq.mki

Filesize
259KB

MD5
9694626481ea262798c10bf9b5a86fd6

SHA1
ccd481dde6f4e5157d98494d868ba48cb9bdf70e

SHA256
26a96a2f78df5db5cd770d3df8776d8f689e2691ab858e18034d7decf86045e9

SHA512
9eec2f1d93299276987c1337a27a9e9bcccfe1cd2a1ce7495acbcd975e603159f1d74f028105b2e4bbffd61c8e71c3e699b5bab843461416862e0169d20b5a5b

Download Submit
memory/2228-132-0x0000000000000000-mapping.dmp

Download
memory/2840-137-0x0000000000000000-mapping.dmp

Download
memory/2840-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-140-0x0000000004AF0000-0x0000000005094000-memory.dmp

Filesize
5.6MB

Download
memory/2840-141-0x00000000049D0000-0x0000000004A6C000-memory.dmp

Filesize
624KB

Download
memory/2840-142-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/2840-143-0x0000000005B80000-0x0000000005C12000-memory.dmp

Filesize
584KB

Download
memory/2840-144-0x0000000006070000-0x000000000607A000-memory.dmp

Filesize
40KB

Download
memory/2840-145-0x0000000006240000-0x0000000006290000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing