agenttesla | eff08088f90a7edb6db9e6561249dce53c56c4a682cd114e43befabed147fc40

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2023, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eff08088f90a7edb6db9e6561249dce53c56c4a682cd114e43befabed147fc40.exe
Size

1.4MB
MD5

1e667b9347d95ae3ed896fd2d7a07004
SHA1

8acc1da971d6c41224cb3a4ecea6d8cfd17d463e
SHA256

eff08088f90a7edb6db9e6561249dce53c56c4a682cd114e43befabed147fc40
SHA512

da2f988d322aedfae77d5146ec8dbfbc8221448b5f09fac67f2e6f71dec363dc996fe44d8903b6dc125b2f7d9dd4cf41d478653e3162a5897fc5de6e656e6b52
SSDEEP

24576:QAOcZNO5kFiNBfipwizdoq21GhKP770lYglQTQD3+L8Fl:OEsNQdXo7IlYgaG+L0l

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot1836400811:AAHbceSsBewgu2-18DdhyOIr5kwyIr-_36E/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 1 IoCs

pid	Process
1688	prqkrhdxll.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	eff08088f90a7edb6db9e6561249dce53c56c4a682cd114e43befabed147fc40.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	prqkrhdxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5_52\\PRQKRH~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\5_52\\qpjac.wjt"	prqkrhdxll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AutoUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5_52\\Update.vbs"	prqkrhdxll.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	api.ipify.org
11	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1688 set thread context of 2596	1688	prqkrhdxll.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	eff08088f90a7edb6db9e6561249dce53c56c4a682cd114e43befabed147fc40.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
2596	RegSvcs.exe
2596	RegSvcs.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
2596	RegSvcs.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe
1688	prqkrhdxll.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2596	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 1044	4460	eff08088f90a7edb6db9e6561249dce53c56c4a682cd114e43befabed147fc40.exe	80
PID 4460 wrote to memory of 1044	4460	eff08088f90a7edb6db9e6561249dce53c56c4a682cd114e43befabed147fc40.exe	80
PID 4460 wrote to memory of 1044	4460	eff08088f90a7edb6db9e6561249dce53c56c4a682cd114e43befabed147fc40.exe	80
PID 1044 wrote to memory of 1688	1044	WScript.exe	81
PID 1044 wrote to memory of 1688	1044	WScript.exe	81
PID 1044 wrote to memory of 1688	1044	WScript.exe	81
PID 1688 wrote to memory of 2596	1688	prqkrhdxll.exe	82
PID 1688 wrote to memory of 2596	1688	prqkrhdxll.exe	82
PID 1688 wrote to memory of 2596	1688	prqkrhdxll.exe	82
PID 1688 wrote to memory of 2596	1688	prqkrhdxll.exe	82
PID 1688 wrote to memory of 2596	1688	prqkrhdxll.exe	82

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\eff08088f90a7edb6db9e6561249dce53c56c4a682cd114e43befabed147fc40.exe
"C:\Users\Admin\AppData\Local\Temp\eff08088f90a7edb6db9e6561249dce53c56c4a682cd114e43befabed147fc40.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\5_52\vjdqtt.vbe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\5_52\prqkrhdxll.exe
    "C:\Users\Admin\AppData\Local\Temp\5_52\prqkrhdxll.exe" qpjac.wjt
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:2596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5_52\jmugrh.ini

Filesize
60KB

MD5
de2e788a4b32267ffa9d168caebda262

SHA1
9f7bb2c7c83ca3007bcb517794b449f1468cbe4c

SHA256
487c05a065ee32b2c653f6028ef0652ea4b86231e105789324f2dce53ddc250e

SHA512
d33aa7e3407481e2b3211ce4fe56cb773b29a2521a068fbc8056dbd4c3bddd53bd2ae80cd0686feaaee795729b647dee0230f6d1b76624e84b833a077367c73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5_52\prqkrhdxll.exe

Filesize
1.1MB

MD5
523ca3f2ebf61412d374b045e4e6521f

SHA1
46082730d8d0f7e25f6851c2bface6b322b299c7

SHA256
280ed2ff8f0b3c9482abe3620ad99b20a8002ddcf2aa0fdc8ab115a03992439d

SHA512
6d08f1bd503a88e123e0f1b48a688a1d2a765afdff39f4c270c902f10f4be34098ef9f319b6cbb7961abd646b285947dd5b81a0c2ba21aace860780470a1d866

Download Submit
C:\Users\Admin\AppData\Local\Temp\5_52\prqkrhdxll.exe

Filesize
1.1MB

MD5
523ca3f2ebf61412d374b045e4e6521f

SHA1
46082730d8d0f7e25f6851c2bface6b322b299c7

SHA256
280ed2ff8f0b3c9482abe3620ad99b20a8002ddcf2aa0fdc8ab115a03992439d

SHA512
6d08f1bd503a88e123e0f1b48a688a1d2a765afdff39f4c270c902f10f4be34098ef9f319b6cbb7961abd646b285947dd5b81a0c2ba21aace860780470a1d866

Download Submit
C:\Users\Admin\AppData\Local\Temp\5_52\qpjac.wjt

Filesize
156.9MB

MD5
d07d65dca9f6ec153e59f245e9aa1fa1

SHA1
7165ff3b321ff1c4e7794ba554ac5cd729f068ab

SHA256
f3ed242d13cc8200f3d98a0de469981d5f9b5ef844b41ef48ac397d5182b1359

SHA512
fd2dfd8180fe1252c2778a562571d5fb74d363af703a6e503b9b0954100eb968c33549ffe785e6b089b022dbf9b861b6fb1b50a2a3cfbd2186d162092dbb404a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5_52\whkbk.vch

Filesize
436KB

MD5
dc7108ed04f5cdbc321dad6b9446f6e8

SHA1
8e07a4fff84d3f711c5382c27bddf3ef3c51ce1c

SHA256
7be1f4b63b4fff029bbb7705081fc80204bd0e8a6ec214cde23c0de70670a30a

SHA512
db021420db14c8e104c2de45d447d4abebe165864f01553d812ac830502e3eda57cee32a8287259a5f8e55e5c5f7bea3437c8ab338e20203a9f94764450b07b8

Download Submit
C:\Users\Admin\AppData\Local\temp\5_52\vjdqtt.vbe

Filesize
28KB

MD5
09a25800d47096e75796cdc17fddb6b5

SHA1
cc0d5036d697f28465b32caacdaa1e76a242aec6

SHA256
c48de33f08490c6390d80f3e9314b896714ec3bba29214fa07ebe49baed05bbb

SHA512
3e61bbd55495ae89020251f249a04d1207547c725aad2024b67d2ca2e2f2487ca77d719fdba0d107fd85381d8d45e6cdb1c57071064dbbe09d626ad146ccf776

Download Submit
memory/2596-141-0x0000000001370000-0x0000000001ABF000-memory.dmp

Filesize
7.3MB

Download
memory/2596-142-0x0000000001370000-0x00000000013AC000-memory.dmp

Filesize
240KB

Download
memory/2596-143-0x00000000066F0000-0x0000000006C94000-memory.dmp

Filesize
5.6MB

Download
memory/2596-144-0x0000000006140000-0x00000000061DC000-memory.dmp

Filesize
624KB

Download
memory/2596-145-0x0000000006E80000-0x0000000006EE6000-memory.dmp

Filesize
408KB

Download
memory/2596-146-0x0000000007660000-0x00000000076B0000-memory.dmp

Filesize
320KB

Download
memory/2596-147-0x00000000077D0000-0x0000000007862000-memory.dmp

Filesize
584KB

Download
memory/2596-148-0x00000000077C0000-0x00000000077CA000-memory.dmp

Filesize
40KB

Download