agenttesla | f2d560f960b4ab660621fef4d25d6b83b27da3deb53c1b0159c8abbc935a0ce4

General

Target

137a3eaa6f4f03f22e1cdae233dbf15861d659cc.exe
Size

462KB
MD5

cc9076a6bd489b43111476ac1dafc23e
SHA1

137a3eaa6f4f03f22e1cdae233dbf15861d659cc
SHA256

f2d560f960b4ab660621fef4d25d6b83b27da3deb53c1b0159c8abbc935a0ce4
SHA512

93619489deaa391e8916503ebe68b86cc6d4d1cdcafe3bdd10707eaaba34c17fb3218fe3a8efbe8d3589a7d7249f6d68afb46d2a1d38d1e5e10052965e5b61c4
SSDEEP

6144:qYa6DH51gRlSJfbv/2cAXHJGax96abkP0sHBGopCj531OIB7gSLt/HQ7bN:qYJZVJfiDZjMaby5hl23rsEt/HuJ

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
4848	wuainfmlq.exe
5096	wuainfmlq.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wuainfmlq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wuainfmlq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wuainfmlq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 5096	4848	wuainfmlq.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5096	wuainfmlq.exe
5096	wuainfmlq.exe
5096	wuainfmlq.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4848	wuainfmlq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	wuainfmlq.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4848	4856	137a3eaa6f4f03f22e1cdae233dbf15861d659cc.exe	81
PID 4856 wrote to memory of 4848	4856	137a3eaa6f4f03f22e1cdae233dbf15861d659cc.exe	81
PID 4856 wrote to memory of 4848	4856	137a3eaa6f4f03f22e1cdae233dbf15861d659cc.exe	81
PID 4848 wrote to memory of 5096	4848	wuainfmlq.exe	82
PID 4848 wrote to memory of 5096	4848	wuainfmlq.exe	82
PID 4848 wrote to memory of 5096	4848	wuainfmlq.exe	82
PID 4848 wrote to memory of 5096	4848	wuainfmlq.exe	82

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wuainfmlq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wuainfmlq.exe

C:\Users\Admin\AppData\Local\Temp\137a3eaa6f4f03f22e1cdae233dbf15861d659cc.exe
"C:\Users\Admin\AppData\Local\Temp\137a3eaa6f4f03f22e1cdae233dbf15861d659cc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\wuainfmlq.exe
  "C:\Users\Admin\AppData\Local\Temp\wuainfmlq.exe" C:\Users\Admin\AppData\Local\Temp\jgxpcje.m
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\wuainfmlq.exe
    "C:\Users\Admin\AppData\Local\Temp\wuainfmlq.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jgxpcje.m

Filesize
5KB

MD5
3cb225d4202f981bc30bc17e833485e3

SHA1
f1149a88c69ad9de40f114294f8023f00f117640

SHA256
49b3012fba16fe6b2c5f6ad4e6b7073ae68163674c07ea913896a8dc6ef85760

SHA512
4215c38fcead666a60b7e003ae25f04c65265f42b7a7a0f389d20a01c51e6b0732687e7cb38f0758bedd4c42b17617f15e262a9cff69f37eb72bbc89e1e6b328

Download Submit
C:\Users\Admin\AppData\Local\Temp\movxfuk.a

Filesize
257KB

MD5
72ed3ead9ff5630cd73b09da9d56b1c6

SHA1
80bd15d59ac2920c9e2932cb3645059614ab41ba

SHA256
26873724de33ac7655aabc593e25d31649f87de8e1a6f114a95c3c18229f31bf

SHA512
a8740494d6b4fb2bc39c2ba42860b4cb63c3f3d3827a3652f13c3d2de9b5294b60b8c0205aced3d2df6aa6fbd5ea1765e6c51b0a533f3f3cb0ba70eaaac0fe50

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuainfmlq.exe

Filesize
84KB

MD5
ffea6028b1a3d2f945a24e18d5c76662

SHA1
4504a6e6804471998d0ed5a800414501b2f17343

SHA256
169ec7cd779c63e2bb2490076b8c07dfeb6d3339576f66dc6a87a2af7de174de

SHA512
820e2138b64f266cbecb64f464e31d8de72d1e07309dce5a111e9d0df9f46f077a1ba2ce3e3f8fc83a06dedf2ec3924806d01e7dba324a7862d623af06a854f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuainfmlq.exe

Filesize
84KB

MD5
ffea6028b1a3d2f945a24e18d5c76662

SHA1
4504a6e6804471998d0ed5a800414501b2f17343

SHA256
169ec7cd779c63e2bb2490076b8c07dfeb6d3339576f66dc6a87a2af7de174de

SHA512
820e2138b64f266cbecb64f464e31d8de72d1e07309dce5a111e9d0df9f46f077a1ba2ce3e3f8fc83a06dedf2ec3924806d01e7dba324a7862d623af06a854f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wuainfmlq.exe

Filesize
84KB

MD5
ffea6028b1a3d2f945a24e18d5c76662

SHA1
4504a6e6804471998d0ed5a800414501b2f17343

SHA256
169ec7cd779c63e2bb2490076b8c07dfeb6d3339576f66dc6a87a2af7de174de

SHA512
820e2138b64f266cbecb64f464e31d8de72d1e07309dce5a111e9d0df9f46f077a1ba2ce3e3f8fc83a06dedf2ec3924806d01e7dba324a7862d623af06a854f4

Download Submit
memory/5096-139-0x0000000004820000-0x0000000004DC4000-memory.dmp

Filesize
5.6MB

Download
memory/5096-140-0x0000000004E40000-0x0000000004EDC000-memory.dmp

Filesize
624KB

Download
memory/5096-141-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5096-142-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/5096-143-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/5096-144-0x0000000005F60000-0x0000000005F6A000-memory.dmp

Filesize
40KB

Download
memory/5096-145-0x0000000006070000-0x00000000060C0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing