agenttesla | b0fdb78c68324224076f2d39061d3ad13c254e265a1842d87a6e7c8d49094e0e

General

Target

a62d53b4c696972c717f444b1cf6ccda07dbc124.exe
Size

570KB
MD5

7a6ac533312d5f4e462a1b9beda03cfd
SHA1

a62d53b4c696972c717f444b1cf6ccda07dbc124
SHA256

b0fdb78c68324224076f2d39061d3ad13c254e265a1842d87a6e7c8d49094e0e
SHA512

d98b17806980b209a53034314ab2278df9ffedcdf1cb8535c944ec1dc1f811d17486945fa4a8862338db842b2c7fe666d0bbe75fd158770268a534d10254e210
SSDEEP

12288:IY5ZNf4zIxNh8k7577uDHUTTAiha8ZRI0G17GnRDm7In75HmG:IY5szIrWmd7pFha8ZK+RDm7IkG

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.elec-qatar.com
Port:
587
Username:
[email protected]
Password:
MHabrar2019@#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
2036	ihggei.exe
1712	ihggei.exe

Loads dropped DLL 3 IoCs

pid	Process
880	a62d53b4c696972c717f444b1cf6ccda07dbc124.exe
880	a62d53b4c696972c717f444b1cf6ccda07dbc124.exe
2036	ihggei.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ihggei.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ihggei.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ihggei.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 1712	2036	ihggei.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1712	ihggei.exe
1712	ihggei.exe
1712	ihggei.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2036	ihggei.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	ihggei.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2036	880	a62d53b4c696972c717f444b1cf6ccda07dbc124.exe	27
PID 880 wrote to memory of 2036	880	a62d53b4c696972c717f444b1cf6ccda07dbc124.exe	27
PID 880 wrote to memory of 2036	880	a62d53b4c696972c717f444b1cf6ccda07dbc124.exe	27
PID 880 wrote to memory of 2036	880	a62d53b4c696972c717f444b1cf6ccda07dbc124.exe	27
PID 2036 wrote to memory of 1712	2036	ihggei.exe	28
PID 2036 wrote to memory of 1712	2036	ihggei.exe	28
PID 2036 wrote to memory of 1712	2036	ihggei.exe	28
PID 2036 wrote to memory of 1712	2036	ihggei.exe	28
PID 2036 wrote to memory of 1712	2036	ihggei.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ihggei.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ihggei.exe

C:\Users\Admin\AppData\Local\Temp\a62d53b4c696972c717f444b1cf6ccda07dbc124.exe
"C:\Users\Admin\AppData\Local\Temp\a62d53b4c696972c717f444b1cf6ccda07dbc124.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\ihggei.exe
  "C:\Users\Admin\AppData\Local\Temp\ihggei.exe" C:\Users\Admin\AppData\Local\Temp\rbxpcrmavss.xwo
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\ihggei.exe
    "C:\Users\Admin\AppData\Local\Temp\ihggei.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ihggei.exe

Filesize
61KB

MD5
d4555e7037539975e89704b6e6b08ab4

SHA1
9f2fa752eda028eea14e10fb356f56a8930d70c9

SHA256
344466bcc5bfd5112dedb0e287efd02518c764cb75e2f8cd0309cf077f6f638a

SHA512
aaff7c05bbbbda9ffd0623b6c0cb51d2ca013edb3f7aec71b3ce5945342a730384da21a7a07f84137801775f32a3fe1013e48d491473f61346be0f70bd6f91f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihggei.exe

Filesize
61KB

MD5
d4555e7037539975e89704b6e6b08ab4

SHA1
9f2fa752eda028eea14e10fb356f56a8930d70c9

SHA256
344466bcc5bfd5112dedb0e287efd02518c764cb75e2f8cd0309cf077f6f638a

SHA512
aaff7c05bbbbda9ffd0623b6c0cb51d2ca013edb3f7aec71b3ce5945342a730384da21a7a07f84137801775f32a3fe1013e48d491473f61346be0f70bd6f91f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihggei.exe

Filesize
61KB

MD5
d4555e7037539975e89704b6e6b08ab4

SHA1
9f2fa752eda028eea14e10fb356f56a8930d70c9

SHA256
344466bcc5bfd5112dedb0e287efd02518c764cb75e2f8cd0309cf077f6f638a

SHA512
aaff7c05bbbbda9ffd0623b6c0cb51d2ca013edb3f7aec71b3ce5945342a730384da21a7a07f84137801775f32a3fe1013e48d491473f61346be0f70bd6f91f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rbxpcrmavss.xwo

Filesize
5KB

MD5
f164e92b14168182dcfefb46f8e43ebe

SHA1
b0ad34bc187ef0c9a405020e303cc5d31db18baa

SHA256
ebfe64d02fb2e061c5612d8cf2a1dbcb46b0b9edb790cef6fb0cb4d2088fe917

SHA512
800dcfc7b7d9c7f611858254fdef53164e5ecfd2319c55bd2d4ed9a676828b997d119c99e33105d35eedbb6889b5575a8deea8802dfe637fb4098cdcf894dc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\whefdc.py

Filesize
315KB

MD5
ba61d96dd0d8baaa12ba55bb05f816fa

SHA1
6e9cee9b9235c50df6f75024cd45aa177c614943

SHA256
5acf436523bf855e5aecf584d5cf9ed92d16aa8fbeca06c914df5acab7b3d96e

SHA512
ef6d48e0ea4457c0de37682aa6bfface229d55fe9cfb33d237f5429e7726b89097a2c123689ee5c2c94b8644468283dcf8e6f49c6239cfd512a6f4ec454898d8

Download Submit
\Users\Admin\AppData\Local\Temp\ihggei.exe

Filesize
61KB

MD5
d4555e7037539975e89704b6e6b08ab4

SHA1
9f2fa752eda028eea14e10fb356f56a8930d70c9

SHA256
344466bcc5bfd5112dedb0e287efd02518c764cb75e2f8cd0309cf077f6f638a

SHA512
aaff7c05bbbbda9ffd0623b6c0cb51d2ca013edb3f7aec71b3ce5945342a730384da21a7a07f84137801775f32a3fe1013e48d491473f61346be0f70bd6f91f6

Download Submit
\Users\Admin\AppData\Local\Temp\ihggei.exe

Filesize
61KB

MD5
d4555e7037539975e89704b6e6b08ab4

SHA1
9f2fa752eda028eea14e10fb356f56a8930d70c9

SHA256
344466bcc5bfd5112dedb0e287efd02518c764cb75e2f8cd0309cf077f6f638a

SHA512
aaff7c05bbbbda9ffd0623b6c0cb51d2ca013edb3f7aec71b3ce5945342a730384da21a7a07f84137801775f32a3fe1013e48d491473f61346be0f70bd6f91f6

Download Submit
\Users\Admin\AppData\Local\Temp\ihggei.exe

Filesize
61KB

MD5
d4555e7037539975e89704b6e6b08ab4

SHA1
9f2fa752eda028eea14e10fb356f56a8930d70c9

SHA256
344466bcc5bfd5112dedb0e287efd02518c764cb75e2f8cd0309cf077f6f638a

SHA512
aaff7c05bbbbda9ffd0623b6c0cb51d2ca013edb3f7aec71b3ce5945342a730384da21a7a07f84137801775f32a3fe1013e48d491473f61346be0f70bd6f91f6

Download Submit
memory/880-54-0x0000000076871000-0x0000000076873000-memory.dmp

Filesize
8KB

Download
memory/1712-63-0x0000000000401896-mapping.dmp

Download
memory/1712-66-0x00000000005E0000-0x000000000061C000-memory.dmp

Filesize
240KB

Download
memory/1712-67-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing