agenttesla | 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/02/2023, 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
Size

1.4MB
MD5

65edcfa090755e408992785778955dce
SHA1

6eff23db579671e283798e729a9b57614612b6d9
SHA256

871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0
SHA512

f8325f5a27318da052d81a67f1b1f552dc1932577ef932e273c7ae61974e595881f305721fe92fedcaf32190ef28c7a90520303c4410e1f0d44701b6b861a837
SSDEEP

24576:eSUqKIqZHzOdysVKr+nXF1CutCtbDpKYxOBvwaWGAOpYyovkirp:cpHzOdysVKrG1KpKYxn60Mi

Score

10^/10

agenttesla rhadamanthys collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.clipjoint.co.nz
Port:
587
Username:
[email protected]
Password:
melandloz64

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.clipjoint.co.nz
Port:
587
Username:
[email protected]
Password:
melandloz64
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect rhadamanthys stealer shellcode 2 IoCs

resource	yara_rule
behavioral2/memory/1352-162-0x0000000000C90000-0x0000000000CAD000-memory.dmp	family_rhadamanthys
behavioral2/memory/1352-165-0x0000000000C90000-0x0000000000CAD000-memory.dmp	family_rhadamanthys

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1684 created 2720	1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe	43

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe

Executes dropped EXE 1 IoCs

pid	Process
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe

Loads dropped DLL 1 IoCs

pid	Process
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ngentask.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ngentask.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ngentask.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	api.ipify.org
30	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1352	fontview.exe
1352	fontview.exe
1352	fontview.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 1364	1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2128	1684	WerFault.exe	85

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	fontview.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	fontview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fontview.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4704	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2140	PING.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1364	ngentask.exe
Token: SeShutdownPrivilege	1352	fontview.exe
Token: SeCreatePagefilePrivilege	1352	fontview.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 4704	2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	83
PID 2984 wrote to memory of 4704	2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	83
PID 2984 wrote to memory of 4704	2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	83
PID 2984 wrote to memory of 1684	2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	85
PID 2984 wrote to memory of 1684	2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	85
PID 2984 wrote to memory of 1684	2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	85
PID 2984 wrote to memory of 2032	2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	86
PID 2984 wrote to memory of 2032	2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	86
PID 2984 wrote to memory of 2032	2984	871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe	86
PID 2032 wrote to memory of 1924	2032	cmd.exe	88
PID 2032 wrote to memory of 1924	2032	cmd.exe	88
PID 2032 wrote to memory of 1924	2032	cmd.exe	88
PID 2032 wrote to memory of 2140	2032	cmd.exe	89
PID 2032 wrote to memory of 2140	2032	cmd.exe	89
PID 2032 wrote to memory of 2140	2032	cmd.exe	89
PID 1684 wrote to memory of 1364	1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe	92
PID 1684 wrote to memory of 1364	1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe	92
PID 1684 wrote to memory of 1364	1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe	92
PID 1684 wrote to memory of 1364	1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe	92
PID 1684 wrote to memory of 1364	1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe	92
PID 1684 wrote to memory of 1352	1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe	94
PID 1684 wrote to memory of 1352	1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe	94
PID 1684 wrote to memory of 1352	1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe	94
PID 1684 wrote to memory of 1352	1684	sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe	94

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ngentask.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ngentask.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2720
- C:\Windows\SysWOW64\fontview.exe
  "C:\Windows\SYSWOW64\fontview.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:1352

C:\Users\Admin\AppData\Local\Temp\871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
"C:\Users\Admin\AppData\Local\Temp\871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4704
- C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe
  "C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 1276
    3⤵
    - Program crash
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1684 -ip 1684
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240567906.dll

Filesize
335KB

MD5
f8d36091acfdc104254d90a91588d569

SHA1
3ac92b58e3378a6d88349cf8549ba8334a90b608

SHA256
7765a84991c1fc872740ffbcb1bc0563e4edc31fcf02ce9341fa1f316c6efdc4

SHA512
fc2f2bac554997593468cef0fcbd6c0b24e00852ba199b9cedb4c5c4af52eb6874e15e346953d2f47c31b05f18eec1f0865495187be943cd1fcf27ed4fb8a5f1

Download Submit
C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe

Filesize
774.4MB

MD5
a0ef20b3364e58c888d96dba6546252e

SHA1
87a215edc40ac6e73953eea44a2e6d9621e7d6af

SHA256
2f8ea8f784ccbe178f12d2841ccaec211db2fb67ab1e7e904f32b62c79423ba9

SHA512
ac9c91074f58829c075dc9ea636a9d7c3c8c34cb098e12ad873bd4ae913b85c8192a294abee45fc1d3448ee4572c79ee0233028e03918efed9b3ba1f379e0652

Download Submit
C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe

Filesize
774.4MB

MD5
a0ef20b3364e58c888d96dba6546252e

SHA1
87a215edc40ac6e73953eea44a2e6d9621e7d6af

SHA256
2f8ea8f784ccbe178f12d2841ccaec211db2fb67ab1e7e904f32b62c79423ba9

SHA512
ac9c91074f58829c075dc9ea636a9d7c3c8c34cb098e12ad873bd4ae913b85c8192a294abee45fc1d3448ee4572c79ee0233028e03918efed9b3ba1f379e0652

Download Submit
memory/1352-157-0x0000000000DC5000-0x0000000000DC7000-memory.dmp

Filesize
8KB

Download
memory/1352-153-0x0000000000790000-0x00000000007C5000-memory.dmp

Filesize
212KB

Download
memory/1352-165-0x0000000000C90000-0x0000000000CAD000-memory.dmp

Filesize
116KB

Download
memory/1352-164-0x0000000000790000-0x00000000007C5000-memory.dmp

Filesize
212KB

Download
memory/1352-163-0x0000000002B90000-0x0000000003B90000-memory.dmp

Filesize
16.0MB

Download
memory/1352-162-0x0000000000C90000-0x0000000000CAD000-memory.dmp

Filesize
116KB

Download
memory/1352-161-0x0000000000DC5000-0x0000000000DC7000-memory.dmp

Filesize
8KB

Download
memory/1352-150-0x0000000000790000-0x00000000007C5000-memory.dmp

Filesize
212KB

Download
memory/1364-158-0x0000000006860000-0x00000000068B0000-memory.dmp

Filesize
320KB

Download
memory/1364-155-0x0000000006630000-0x000000000663A000-memory.dmp

Filesize
40KB

Download
memory/1364-147-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1364-148-0x0000000005630000-0x0000000005BD4000-memory.dmp

Filesize
5.6MB

Download
memory/1364-160-0x0000000006950000-0x00000000069EC000-memory.dmp

Filesize
624KB

Download
memory/1364-159-0x0000000006A80000-0x0000000006C42000-memory.dmp

Filesize
1.8MB

Download
memory/1364-152-0x0000000004FC0000-0x0000000005026000-memory.dmp

Filesize
408KB

Download
memory/1364-154-0x0000000006650000-0x00000000066E2000-memory.dmp

Filesize
584KB

Download
memory/1364-145-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1684-156-0x000000000B160000-0x000000000B335000-memory.dmp

Filesize
1.8MB

Download
memory/1684-143-0x000000000B160000-0x000000000B335000-memory.dmp

Filesize
1.8MB

Download
memory/1684-141-0x000000000B160000-0x000000000B335000-memory.dmp

Filesize
1.8MB

Download
memory/1684-137-0x0000000000040000-0x00000000001A7000-memory.dmp

Filesize
1.4MB

Download
memory/1684-166-0x0000000000040000-0x00000000001A7000-memory.dmp

Filesize
1.4MB

Download
memory/2984-132-0x0000000000C60000-0x0000000000DC7000-memory.dmp

Filesize
1.4MB

Download
memory/2984-139-0x0000000000C60000-0x0000000000DC7000-memory.dmp

Filesize
1.4MB

Download