agenttesla | 72d186da41f7d6979ff9b012e4e5b5581da86946d60ffbc5870cc7b99dce192a

General

Target

0a232eac16fadbcea9f371d5f3832d808123297a.exe
Size

440KB
MD5

40652392d1c0899c10858a9427423873
SHA1

0a232eac16fadbcea9f371d5f3832d808123297a
SHA256

72d186da41f7d6979ff9b012e4e5b5581da86946d60ffbc5870cc7b99dce192a
SHA512

e4e9fe0d9bcf958cfca895a0382c3b87bc95d488f70faba6df223609ef7c5f22731beec930bb5e5789e24e3926b76292b8d47a165732a1d58702073ece18455e
SSDEEP

12288:EYrIaib/25w27ww4vveYizJPWX+MBSFF/j:EYrIa6/2y1w4vvniZWueSrj

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
1324	yfrwobsza.exe
948	yfrwobsza.exe

Loads dropped DLL 3 IoCs

pid	Process
1524	0a232eac16fadbcea9f371d5f3832d808123297a.exe
1524	0a232eac16fadbcea9f371d5f3832d808123297a.exe
1324	yfrwobsza.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	yfrwobsza.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	yfrwobsza.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	yfrwobsza.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1324 set thread context of 948	1324	yfrwobsza.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
948	yfrwobsza.exe
948	yfrwobsza.exe
948	yfrwobsza.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1324	yfrwobsza.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	yfrwobsza.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1324	1524	0a232eac16fadbcea9f371d5f3832d808123297a.exe	26
PID 1524 wrote to memory of 1324	1524	0a232eac16fadbcea9f371d5f3832d808123297a.exe	26
PID 1524 wrote to memory of 1324	1524	0a232eac16fadbcea9f371d5f3832d808123297a.exe	26
PID 1524 wrote to memory of 1324	1524	0a232eac16fadbcea9f371d5f3832d808123297a.exe	26
PID 1324 wrote to memory of 948	1324	yfrwobsza.exe	27
PID 1324 wrote to memory of 948	1324	yfrwobsza.exe	27
PID 1324 wrote to memory of 948	1324	yfrwobsza.exe	27
PID 1324 wrote to memory of 948	1324	yfrwobsza.exe	27
PID 1324 wrote to memory of 948	1324	yfrwobsza.exe	27

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	yfrwobsza.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	yfrwobsza.exe

C:\Users\Admin\AppData\Local\Temp\0a232eac16fadbcea9f371d5f3832d808123297a.exe
"C:\Users\Admin\AppData\Local\Temp\0a232eac16fadbcea9f371d5f3832d808123297a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\yfrwobsza.exe
  "C:\Users\Admin\AppData\Local\Temp\yfrwobsza.exe" C:\Users\Admin\AppData\Local\Temp\boxgr.nzz
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\yfrwobsza.exe
    "C:\Users\Admin\AppData\Local\Temp\yfrwobsza.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\boxgr.nzz

Filesize
5KB

MD5
76212b3973c44a9a42631ffd61549436

SHA1
d3b7d192391f27c1aa13a905f5bcaff1331786c8

SHA256
1f512fb80f7f2952415fc9a0187cddc402e2adefc5aa89501675faa13798573f

SHA512
7f09f60974d281c0375d1bba5d80608800f2baf4f6d20fb7e47fe391f99985ccec10e3680d5dab3b2501cb67f11c26a7f2373bbd774a6be032724d1838333bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfrwobsza.exe

Filesize
52KB

MD5
223ab616ed36775939bc40ea5b38d81e

SHA1
9507b703c798f77fcb289156403037b5316375a0

SHA256
bb552cda9a74468e390ccc39c249850e936035e826bc1d3981475d7a3338695f

SHA512
e09756f9f908bffd939aee771c7f9b1d10cd385113f34c36134f5aa3cf332334dda0991181208932ea2369e4b9dbc9b0647f5bd568f2a77ba943ab7d64bceea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfrwobsza.exe

Filesize
52KB

MD5
223ab616ed36775939bc40ea5b38d81e

SHA1
9507b703c798f77fcb289156403037b5316375a0

SHA256
bb552cda9a74468e390ccc39c249850e936035e826bc1d3981475d7a3338695f

SHA512
e09756f9f908bffd939aee771c7f9b1d10cd385113f34c36134f5aa3cf332334dda0991181208932ea2369e4b9dbc9b0647f5bd568f2a77ba943ab7d64bceea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yfrwobsza.exe

Filesize
52KB

MD5
223ab616ed36775939bc40ea5b38d81e

SHA1
9507b703c798f77fcb289156403037b5316375a0

SHA256
bb552cda9a74468e390ccc39c249850e936035e826bc1d3981475d7a3338695f

SHA512
e09756f9f908bffd939aee771c7f9b1d10cd385113f34c36134f5aa3cf332334dda0991181208932ea2369e4b9dbc9b0647f5bd568f2a77ba943ab7d64bceea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zwqqwu.fx

Filesize
257KB

MD5
9f43722e28a716e5aba7873eb2120c1c

SHA1
2589f561703a5fb82ef323808d8b9b38ce0eba29

SHA256
796db45c62753dc34cf7ee487f0b0db3e4bd61377042b26a5a50d07d421892e1

SHA512
0871d0eeb7f5b3b30ee37707791548135a0bb539999bebca4c93ca5c86a19f78327b98241e7bc0594dc23b58fb646cb85670a8cf4fa406531deb68bfd84dab76

Download Submit
\Users\Admin\AppData\Local\Temp\yfrwobsza.exe

Filesize
52KB

MD5
223ab616ed36775939bc40ea5b38d81e

SHA1
9507b703c798f77fcb289156403037b5316375a0

SHA256
bb552cda9a74468e390ccc39c249850e936035e826bc1d3981475d7a3338695f

SHA512
e09756f9f908bffd939aee771c7f9b1d10cd385113f34c36134f5aa3cf332334dda0991181208932ea2369e4b9dbc9b0647f5bd568f2a77ba943ab7d64bceea2

Download Submit
\Users\Admin\AppData\Local\Temp\yfrwobsza.exe

Filesize
52KB

MD5
223ab616ed36775939bc40ea5b38d81e

SHA1
9507b703c798f77fcb289156403037b5316375a0

SHA256
bb552cda9a74468e390ccc39c249850e936035e826bc1d3981475d7a3338695f

SHA512
e09756f9f908bffd939aee771c7f9b1d10cd385113f34c36134f5aa3cf332334dda0991181208932ea2369e4b9dbc9b0647f5bd568f2a77ba943ab7d64bceea2

Download Submit
\Users\Admin\AppData\Local\Temp\yfrwobsza.exe

Filesize
52KB

MD5
223ab616ed36775939bc40ea5b38d81e

SHA1
9507b703c798f77fcb289156403037b5316375a0

SHA256
bb552cda9a74468e390ccc39c249850e936035e826bc1d3981475d7a3338695f

SHA512
e09756f9f908bffd939aee771c7f9b1d10cd385113f34c36134f5aa3cf332334dda0991181208932ea2369e4b9dbc9b0647f5bd568f2a77ba943ab7d64bceea2

Download Submit
memory/948-66-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/948-67-0x00000000043C0000-0x00000000043EE000-memory.dmp

Filesize
184KB

Download
memory/1524-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing