agenttesla | 2b7d52cff6d8153c70e007f4b88b38788b6205144cb65c60b76272dc838acc8b

General

Target

URGENT REQUEST.exe
Size

64KB
MD5

3031228682ee992a8c75b0b7e767b794
SHA1

c0beabc62747ee62fbb05eb35284cc382a9a25fe
SHA256

2b7d52cff6d8153c70e007f4b88b38788b6205144cb65c60b76272dc838acc8b
SHA512

4fbadca7a43b04946afab52fd39e7de1ce34677d93316ff1f471105331af29e9787979fd6a6c3be2e1d6be0253fbd2b67c6f5963b618ebdeec030a77e49254aa
SSDEEP

768:EkOyF9AKzI19Nn7cx4vn+vEqMtpYYkhN40LO6dusn04eF:xOe9AA49Nn7cxgMEqMt8N40ymuL3F

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
focuzpartsmart.com
Port:
587
Username:
johnsonpc@focuzpartsmart.com
Password:
FpmJhn@2023
Email To:
decenmomodou20@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

URGENT REQUEST.exe

description pid process target process

PID 4600 set thread context of 1048 4600 URGENT REQUEST.exe jsc.exe

description	pid	process	target process
PID 4600 set thread context of 1048	4600	URGENT REQUEST.exe	jsc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

URGENT REQUEST.exe

pid	process
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe
4600	URGENT REQUEST.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

URGENT REQUEST.exejsc.exe

description pid process

Token: SeDebugPrivilege 4600 URGENT REQUEST.exe
Token: SeDebugPrivilege 1048 jsc.exe

description	pid	process
Token: SeDebugPrivilege	4600	URGENT REQUEST.exe
Token: SeDebugPrivilege	1048	jsc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

URGENT REQUEST.exe

description	pid	process	target process
PID 4600 wrote to memory of 4804	4600	URGENT REQUEST.exe	RegAsm.exe
PID 4600 wrote to memory of 4804	4600	URGENT REQUEST.exe	RegAsm.exe
PID 4600 wrote to memory of 3276	4600	URGENT REQUEST.exe	WsatConfig.exe
PID 4600 wrote to memory of 3276	4600	URGENT REQUEST.exe	WsatConfig.exe
PID 4600 wrote to memory of 4756	4600	URGENT REQUEST.exe	AddInProcess32.exe
PID 4600 wrote to memory of 4756	4600	URGENT REQUEST.exe	AddInProcess32.exe
PID 4600 wrote to memory of 4756	4600	URGENT REQUEST.exe	AddInProcess32.exe
PID 4600 wrote to memory of 3376	4600	URGENT REQUEST.exe	aspnet_state.exe
PID 4600 wrote to memory of 3376	4600	URGENT REQUEST.exe	aspnet_state.exe
PID 4600 wrote to memory of 4596	4600	URGENT REQUEST.exe	AddInProcess.exe
PID 4600 wrote to memory of 4596	4600	URGENT REQUEST.exe	AddInProcess.exe
PID 4600 wrote to memory of 4336	4600	URGENT REQUEST.exe	SMSvcHost.exe
PID 4600 wrote to memory of 4336	4600	URGENT REQUEST.exe	SMSvcHost.exe
PID 4600 wrote to memory of 1044	4600	URGENT REQUEST.exe	CasPol.exe
PID 4600 wrote to memory of 1044	4600	URGENT REQUEST.exe	CasPol.exe
PID 4600 wrote to memory of 1048	4600	URGENT REQUEST.exe	jsc.exe
PID 4600 wrote to memory of 1048	4600	URGENT REQUEST.exe	jsc.exe
PID 4600 wrote to memory of 1048	4600	URGENT REQUEST.exe	jsc.exe
PID 4600 wrote to memory of 1048	4600	URGENT REQUEST.exe	jsc.exe
PID 4600 wrote to memory of 1048	4600	URGENT REQUEST.exe	jsc.exe
PID 4600 wrote to memory of 1048	4600	URGENT REQUEST.exe	jsc.exe
PID 4600 wrote to memory of 1048	4600	URGENT REQUEST.exe	jsc.exe
PID 4600 wrote to memory of 1048	4600	URGENT REQUEST.exe	jsc.exe

outlook_office_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST.exe
"C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
2⤵
PID:4804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
2⤵
PID:3276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
2⤵
PID:4756

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:3376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
2⤵
PID:4596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
2⤵
PID:4336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
2⤵
PID:1044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-134-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1048-135-0x000000000042A62E-mapping.dmp

Download
memory/1048-137-0x0000000005F20000-0x00000000064C4000-memory.dmp

Filesize
5.6MB

Download
memory/1048-138-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/1048-139-0x00000000069F0000-0x0000000006A82000-memory.dmp

Filesize
584KB

Download
memory/1048-140-0x00000000069B0000-0x00000000069BA000-memory.dmp

Filesize
40KB

Download
memory/1048-141-0x0000000006B30000-0x0000000006B80000-memory.dmp

Filesize
320KB

Download
memory/1048-142-0x0000000006E50000-0x0000000007012000-memory.dmp

Filesize
1.8MB

Download
memory/4600-132-0x00000203B8FA0000-0x00000203B8FB4000-memory.dmp

Filesize
80KB

Download
memory/4600-133-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4600-136-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads