agenttesla | 3059d397df293d2e922f386abaf6cb264005b41274e33fd5b2d909407d6db256

General

Target

Purchase Order No. BCM190282Project.exe
Size

552KB
MD5

085621949a07bb1b819fe5c6894e7381
SHA1

01137a34ab984239fc8517dd79635aaabbfa27b2
SHA256

e183f9caf4ab50798816cb2619cbae642d0952df6cf0820524ef2ca631728b3d
SHA512

2c622c8b1d5d22957bd03be3fd3271c3eb592aff40b7ef5bbe47cfd484f5305e8aab907befdf5a356200f69bfd887843abb3d94a5c00668601f4b9782ab0ad96
SSDEEP

6144:SDgK3Jc/yQeIBLXKvZm5BnZhFY+X550ykb6w5jZSZFMIWJaO74kr2BMRIbhQFu+K:0d5c66BLX/PZjpQNCAaOEkuTEo3

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
Smtp.ionos.es
Port:
587
Username:
mgonzalez@inkor.es
Password:
Random1@@##

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
Smtp.ionos.es
Port:
587
Username:
mgonzalez@inkor.es
Password:
Random1@@##
Email To:
fresh.italian@yandex.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Purchase Order No. BCM190282Project.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Purchase Order No. BCM190282Project.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Purchase Order No. BCM190282Project.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order No. BCM190282Project.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order No. BCM190282Project.exe
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order No. BCM190282Project.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 api.ipify.org
43 api.ipify.org

flow	ioc
42	api.ipify.org
43	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order No. BCM190282Project.exe

description	pid	process	target process
PID 2096 set thread context of 64	2096	Purchase Order No. BCM190282Project.exe	Purchase Order No. BCM190282Project.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4228 schtasks.exe

pid	process
4228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Purchase Order No. BCM190282Project.exepowershell.exepowershell.exePurchase Order No. BCM190282Project.exe

pid	process
2096	Purchase Order No. BCM190282Project.exe
2932	powershell.exe
1432	powershell.exe
2096	Purchase Order No. BCM190282Project.exe
64	Purchase Order No. BCM190282Project.exe
64	Purchase Order No. BCM190282Project.exe
2932	powershell.exe
1432	powershell.exe
64	Purchase Order No. BCM190282Project.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Purchase Order No. BCM190282Project.exepowershell.exepowershell.exePurchase Order No. BCM190282Project.exe

description	pid	process
Token: SeDebugPrivilege	2096	Purchase Order No. BCM190282Project.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	64	Purchase Order No. BCM190282Project.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Purchase Order No. BCM190282Project.exe

description	pid	process	target process
PID 2096 wrote to memory of 1432	2096	Purchase Order No. BCM190282Project.exe	powershell.exe
PID 2096 wrote to memory of 1432	2096	Purchase Order No. BCM190282Project.exe	powershell.exe
PID 2096 wrote to memory of 1432	2096	Purchase Order No. BCM190282Project.exe	powershell.exe
PID 2096 wrote to memory of 2932	2096	Purchase Order No. BCM190282Project.exe	powershell.exe
PID 2096 wrote to memory of 2932	2096	Purchase Order No. BCM190282Project.exe	powershell.exe
PID 2096 wrote to memory of 2932	2096	Purchase Order No. BCM190282Project.exe	powershell.exe
PID 2096 wrote to memory of 4228	2096	Purchase Order No. BCM190282Project.exe	schtasks.exe
PID 2096 wrote to memory of 4228	2096	Purchase Order No. BCM190282Project.exe	schtasks.exe
PID 2096 wrote to memory of 4228	2096	Purchase Order No. BCM190282Project.exe	schtasks.exe
PID 2096 wrote to memory of 64	2096	Purchase Order No. BCM190282Project.exe	Purchase Order No. BCM190282Project.exe
PID 2096 wrote to memory of 64	2096	Purchase Order No. BCM190282Project.exe	Purchase Order No. BCM190282Project.exe
PID 2096 wrote to memory of 64	2096	Purchase Order No. BCM190282Project.exe	Purchase Order No. BCM190282Project.exe
PID 2096 wrote to memory of 64	2096	Purchase Order No. BCM190282Project.exe	Purchase Order No. BCM190282Project.exe
PID 2096 wrote to memory of 64	2096	Purchase Order No. BCM190282Project.exe	Purchase Order No. BCM190282Project.exe
PID 2096 wrote to memory of 64	2096	Purchase Order No. BCM190282Project.exe	Purchase Order No. BCM190282Project.exe
PID 2096 wrote to memory of 64	2096	Purchase Order No. BCM190282Project.exe	Purchase Order No. BCM190282Project.exe
PID 2096 wrote to memory of 64	2096	Purchase Order No. BCM190282Project.exe	Purchase Order No. BCM190282Project.exe

outlook_office_path 1 IoCs

Processes:

Purchase Order No. BCM190282Project.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order No. BCM190282Project.exe

outlook_win_path 1 IoCs

Processes:

Purchase Order No. BCM190282Project.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Purchase Order No. BCM190282Project.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order No. BCM190282Project.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order No. BCM190282Project.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase Order No. BCM190282Project.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qWncfecZ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qWncfecZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2AF8.tmp"
2⤵
- Creates scheduled task(s)
PID:4228

C:\Users\Admin\AppData\Local\Temp\Purchase Order No. BCM190282Project.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order No. BCM190282Project.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:64

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1abe17d8c190daa8ac3c339326bb8283

SHA1
827c57ca219d2e41d63e6413b346f5130d6f4b6e

SHA256
46c0322a8833c83dfd7a8cb22c1e4868be824ccd69d3bb61673c7ef1754edac7

SHA512
6f664cd411692fbd7adbfd7873fd08817180f332384ebf4d7070e2357b53512662de0589a38d46e9ee94facfc48b0ca67c2f0150ceafae9f6107d628b12a4ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AF8.tmp
Filesize
1KB

MD5
9f25f786bbf9366f38393f775f988a6b

SHA1
05803a8f1764cc9b2bd0b5c71001aeefea24faf8

SHA256
82612f546c6addfc7d99c2510bbb2620e7dda650b37871ef6fb9cd76d33e7b76

SHA512
eab888341680a6342ef036fb30237d1d56cf01914b34094a9f553146b96d3c192cde7d189955105a780969105f78240f2b6909f25ffce4a209e15a56fe7081c8

Download Submit
memory/64-161-0x00000000074D0000-0x0000000007520000-memory.dmp

Filesize
320KB

Download
memory/64-147-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/64-146-0x0000000000000000-mapping.dmp

Download
memory/1432-158-0x0000000007110000-0x000000000712A000-memory.dmp

Filesize
104KB

Download
memory/1432-151-0x0000000071730000-0x000000007177C000-memory.dmp

Filesize
304KB

Download
memory/1432-149-0x0000000006A80000-0x0000000006AB2000-memory.dmp

Filesize
200KB

Download
memory/1432-140-0x00000000021A0000-0x00000000021D6000-memory.dmp

Filesize
216KB

Download
memory/1432-141-0x0000000004D10000-0x0000000005338000-memory.dmp

Filesize
6.2MB

Download
memory/1432-142-0x0000000004B00000-0x0000000004B22000-memory.dmp

Filesize
136KB

Download
memory/1432-156-0x0000000007050000-0x00000000070E6000-memory.dmp

Filesize
600KB

Download
memory/1432-137-0x0000000000000000-mapping.dmp

Download
memory/1432-144-0x0000000004C20000-0x0000000004C86000-memory.dmp

Filesize
408KB

Download
memory/2096-134-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/2096-133-0x0000000005630000-0x0000000005BD4000-memory.dmp

Filesize
5.6MB

Download
memory/2096-135-0x00000000050A0000-0x00000000050AA000-memory.dmp

Filesize
40KB

Download
memory/2096-136-0x0000000007720000-0x00000000077BC000-memory.dmp

Filesize
624KB

Download
memory/2096-132-0x0000000000670000-0x00000000006FE000-memory.dmp

Filesize
568KB

Download
memory/2932-153-0x0000000007CE0000-0x000000000835A000-memory.dmp

Filesize
6.5MB

Download
memory/2932-152-0x0000000006930000-0x000000000694E000-memory.dmp

Filesize
120KB

Download
memory/2932-150-0x0000000071730000-0x000000007177C000-memory.dmp

Filesize
304KB

Download
memory/2932-154-0x0000000007690000-0x00000000076AA000-memory.dmp

Filesize
104KB

Download
memory/2932-155-0x0000000007710000-0x000000000771A000-memory.dmp

Filesize
40KB

Download
memory/2932-148-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/2932-157-0x00000000078C0000-0x00000000078CE000-memory.dmp

Filesize
56KB

Download
memory/2932-145-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/2932-159-0x00000000079B0000-0x00000000079B8000-memory.dmp

Filesize
32KB

Download
memory/2932-138-0x0000000000000000-mapping.dmp

Download
memory/4228-139-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads