agenttesla | 2299434f679982522b05bb2d725105b0d6adf6d8ab7b9c6c9b508eb50d26d99a

General

Target

ce49565cf14de17f14177b42314797c49108d529.exe
Size

437KB
MD5

4c5080912da359cbfd2b7537e309ab90
SHA1

ce49565cf14de17f14177b42314797c49108d529
SHA256

2299434f679982522b05bb2d725105b0d6adf6d8ab7b9c6c9b508eb50d26d99a
SHA512

662a4f36c5c64a59e9220d5ccb482c06a145c7e523ba55c750ed3167ebeff73dd82ab5d3aa3a4f2744f33702964dbab0722668c0ef5dea9b7943fa98ec209559
SSDEEP

6144:UYa6Gos8IFJb3WX7Ww+F5TovBd6vs/lGbN8UnOMhT+wDyUbvKRnql:UYXsz3EqwvvBgmQb7nFFFDyUx

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
5092	fffgyk.exe
380	fffgyk.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fffgyk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fffgyk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fffgyk.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5092 set thread context of 380	5092	fffgyk.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
380	fffgyk.exe
380	fffgyk.exe
380	fffgyk.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5092	fffgyk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	fffgyk.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 5092	5000	ce49565cf14de17f14177b42314797c49108d529.exe	83
PID 5000 wrote to memory of 5092	5000	ce49565cf14de17f14177b42314797c49108d529.exe	83
PID 5000 wrote to memory of 5092	5000	ce49565cf14de17f14177b42314797c49108d529.exe	83
PID 5092 wrote to memory of 380	5092	fffgyk.exe	84
PID 5092 wrote to memory of 380	5092	fffgyk.exe	84
PID 5092 wrote to memory of 380	5092	fffgyk.exe	84
PID 5092 wrote to memory of 380	5092	fffgyk.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fffgyk.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	fffgyk.exe

C:\Users\Admin\AppData\Local\Temp\ce49565cf14de17f14177b42314797c49108d529.exe
"C:\Users\Admin\AppData\Local\Temp\ce49565cf14de17f14177b42314797c49108d529.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\fffgyk.exe
  "C:\Users\Admin\AppData\Local\Temp\fffgyk.exe" C:\Users\Admin\AppData\Local\Temp\vjkhfv.f
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\fffgyk.exe
    "C:\Users\Admin\AppData\Local\Temp\fffgyk.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fffgyk.exe

Filesize
52KB

MD5
9eae06a9500c818724f197ce6a444725

SHA1
960f40958e037df0227d878cb93266b3f72cb251

SHA256
3fd47d822ad7615ae618bb6af850f4c62190bd78db203df66cd64a7f96b6eeb8

SHA512
d98b32158fbae323f53fc20cabe16bb0223cc40a93d100a2f041064311280c4e95bfd4a28c99609c8a8ecdefd5b131a416734295c32f16f1f83f658f6dcd64cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fffgyk.exe

Filesize
52KB

MD5
9eae06a9500c818724f197ce6a444725

SHA1
960f40958e037df0227d878cb93266b3f72cb251

SHA256
3fd47d822ad7615ae618bb6af850f4c62190bd78db203df66cd64a7f96b6eeb8

SHA512
d98b32158fbae323f53fc20cabe16bb0223cc40a93d100a2f041064311280c4e95bfd4a28c99609c8a8ecdefd5b131a416734295c32f16f1f83f658f6dcd64cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fffgyk.exe

Filesize
52KB

MD5
9eae06a9500c818724f197ce6a444725

SHA1
960f40958e037df0227d878cb93266b3f72cb251

SHA256
3fd47d822ad7615ae618bb6af850f4c62190bd78db203df66cd64a7f96b6eeb8

SHA512
d98b32158fbae323f53fc20cabe16bb0223cc40a93d100a2f041064311280c4e95bfd4a28c99609c8a8ecdefd5b131a416734295c32f16f1f83f658f6dcd64cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vihnfhc.fek

Filesize
257KB

MD5
3e3aafdb5001d91903aa03048b2ed602

SHA1
7acd4b9e9c76b709155e41a73e6232c3cfe9dedf

SHA256
e64c9ff3dbbc12f5f2b8dd6b0defa00b3a0b990bbec0eaec6e16172d8259fe31

SHA512
e9e266b30be69e276c320f59f9aeb224ead049220fe2bc335e6c0e947b3ebec379ca4b1e8b4c610eb79a6335a82b4f82072ae9c61bc85a86e18631fce7aea152

Download Submit
C:\Users\Admin\AppData\Local\Temp\vjkhfv.f

Filesize
5KB

MD5
507b5368cda0de2c2358e5d157b2e5cf

SHA1
4f8f0895ea26899cae49cd19e1a122e5c6489f89

SHA256
eb2e20b532fade24ded6d778564c257c231bf3aa9b3c74f389bf8a8178cb5c54

SHA512
f6b05f386f5a36535d94f4bed6dd36a4757e226bb2990c80865b77b65793242a62a066c0deb90c58500c44b4a45e235c2eb82d564acd8020204b48c6ead15e46

Download Submit
memory/380-137-0x0000000000000000-mapping.dmp

Download
memory/380-139-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/380-140-0x0000000004870000-0x0000000004E14000-memory.dmp

Filesize
5.6MB

Download
memory/380-141-0x0000000004E50000-0x0000000004EEC000-memory.dmp

Filesize
624KB

Download
memory/380-142-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/380-143-0x0000000005B80000-0x0000000005C12000-memory.dmp

Filesize
584KB

Download
memory/380-144-0x0000000005C40000-0x0000000005C4A000-memory.dmp

Filesize
40KB

Download
memory/380-145-0x00000000060C0000-0x0000000006110000-memory.dmp

Filesize
320KB

Download
memory/5092-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing