agenttesla | 43a0be7895e81ab00df511b6e247641f46291a794c103111e602ff1401ea0324

General

Target

522d2ac90778154b783b8c367901d0dc994e849b.exe
Size

860KB
MD5

60560661bb1ebaf6358a09997fd68c61
SHA1

522d2ac90778154b783b8c367901d0dc994e849b
SHA256

43a0be7895e81ab00df511b6e247641f46291a794c103111e602ff1401ea0324
SHA512

da3e517bace9ebb6c770b0ab03660a56811ba4aba3e83ab21ed1d99b5f99f18082678ddd2887c3a0c644c27511e6e523925ad90bb649deac48c3a66d5c114f61
SSDEEP

12288:bjSWEpeRUrakx5Q2t4rOa/J8OXVbeV2b2WtOez1Gi2Dg1Pjqn0Ta4spUT22tr:bApyUh8Oa/zb2WZz1Giwgbq0r9

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5590596148:AAFELAezvK26mOp3KWIpAgxEVzQMQ56n6zg/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	522d2ac90778154b783b8c367901d0dc994e849b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	522d2ac90778154b783b8c367901d0dc994e849b.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	522d2ac90778154b783b8c367901d0dc994e849b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\JxkFp = "C:\\Users\\Admin\\AppData\\Roaming\\JxkFp\\JxkFp.exe"	522d2ac90778154b783b8c367901d0dc994e849b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 1312	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1980	522d2ac90778154b783b8c367901d0dc994e849b.exe
1980	522d2ac90778154b783b8c367901d0dc994e849b.exe
1312	522d2ac90778154b783b8c367901d0dc994e849b.exe
1312	522d2ac90778154b783b8c367901d0dc994e849b.exe
2032	powershell.exe
2040	powershell.exe
1312	522d2ac90778154b783b8c367901d0dc994e849b.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe
Token: SeDebugPrivilege	1312	522d2ac90778154b783b8c367901d0dc994e849b.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1312	522d2ac90778154b783b8c367901d0dc994e849b.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2032	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	28
PID 1980 wrote to memory of 2032	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	28
PID 1980 wrote to memory of 2032	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	28
PID 1980 wrote to memory of 2032	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	28
PID 1980 wrote to memory of 2040	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	30
PID 1980 wrote to memory of 2040	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	30
PID 1980 wrote to memory of 2040	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	30
PID 1980 wrote to memory of 2040	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	30
PID 1980 wrote to memory of 268	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	32
PID 1980 wrote to memory of 268	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	32
PID 1980 wrote to memory of 268	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	32
PID 1980 wrote to memory of 268	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	32
PID 1980 wrote to memory of 1832	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	34
PID 1980 wrote to memory of 1832	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	34
PID 1980 wrote to memory of 1832	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	34
PID 1980 wrote to memory of 1832	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	34
PID 1980 wrote to memory of 1312	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	35
PID 1980 wrote to memory of 1312	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	35
PID 1980 wrote to memory of 1312	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	35
PID 1980 wrote to memory of 1312	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	35
PID 1980 wrote to memory of 1312	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	35
PID 1980 wrote to memory of 1312	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	35
PID 1980 wrote to memory of 1312	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	35
PID 1980 wrote to memory of 1312	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	35
PID 1980 wrote to memory of 1312	1980	522d2ac90778154b783b8c367901d0dc994e849b.exe	35

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	522d2ac90778154b783b8c367901d0dc994e849b.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	522d2ac90778154b783b8c367901d0dc994e849b.exe

C:\Users\Admin\AppData\Local\Temp\522d2ac90778154b783b8c367901d0dc994e849b.exe
"C:\Users\Admin\AppData\Local\Temp\522d2ac90778154b783b8c367901d0dc994e849b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\522d2ac90778154b783b8c367901d0dc994e849b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rYfUNaSeLEBFy.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rYfUNaSeLEBFy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp95DA.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:268
- C:\Users\Admin\AppData\Local\Temp\522d2ac90778154b783b8c367901d0dc994e849b.exe
  "C:\Users\Admin\AppData\Local\Temp\522d2ac90778154b783b8c367901d0dc994e849b.exe"
  2⤵
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\522d2ac90778154b783b8c367901d0dc994e849b.exe
  "C:\Users\Admin\AppData\Local\Temp\522d2ac90778154b783b8c367901d0dc994e849b.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp95DA.tmp

Filesize
1KB

MD5
1517ba8a404577e00ab0238360bf72a8

SHA1
5b8aed8e6ce1df8f155a191e42e3c93596ddd74a

SHA256
27f2014749e728a4c280a7219ede167dec35632ec1340b563ecd347abed0e83c

SHA512
58a8fb8ca6cc4335dd21c30dc35b86bd9f673ee4f973e71d55f98c78f231d8fd7fb0b2d626bd322c0ee14bd76cdb7ce3f1a1db803afb668d8d3e0e545d7589ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
202cb7e2bcc498e08cc1f202b361fa42

SHA1
f3ebb93110dfd44f78583fa621ba13ba4719364a

SHA256
cacfccc58d72a0ed3df4cd39191af4be078f09064519f562f9b41d41af777644

SHA512
067d42f44aeebc5eaa732adece2f568db0c4352793497d1a133eb701a452a2b06afc34a597f032c8b89a775c1d67c209819e7e20cd32315ea2f22129742324fa

Download Submit
memory/268-62-0x0000000000000000-mapping.dmp

Download
memory/1312-67-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1312-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1312-77-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1312-73-0x000000000042A16E-mapping.dmp

Download
memory/1312-72-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1312-71-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1312-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1312-68-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1980-66-0x0000000005C00000-0x0000000005C46000-memory.dmp

Filesize
280KB

Download
memory/1980-54-0x0000000000F60000-0x000000000103C000-memory.dmp

Filesize
880KB

Download
memory/1980-58-0x0000000007E10000-0x0000000007E90000-memory.dmp

Filesize
512KB

Download
memory/1980-57-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/1980-56-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/1980-55-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/2032-59-0x0000000000000000-mapping.dmp

Download
memory/2032-80-0x000000006DC60000-0x000000006E20B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-61-0x0000000000000000-mapping.dmp

Download
memory/2040-79-0x000000006DC60000-0x000000006E20B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads