agenttesla | 5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d

General

Target

5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe
Size

343KB
MD5

383a66b236ca130567b944ded28acbb3
SHA1

1f32c099f88de3de17411232b469720de80b9568
SHA256

5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d
SHA512

12aa8017a36beef09fd08da0c5175c311dff38f25edd7a6a79e5ed5179cf75a8ee237c62b229e9ae74b8c004d7b1f401db952844e4feed7c39b3be5ff55eac23
SSDEEP

6144:gYa6Ydr4i+dYQy+/quTtshVOl9jqNmB0x+4/iew7ePphpRdCVXsy:gYqGi+36uTamvKmeNPphnkFV

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
972	lhjlh.exe
360	lhjlh.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	lhjlh.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	lhjlh.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	lhjlh.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 972 set thread context of 360	972	lhjlh.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
360	lhjlh.exe
360	lhjlh.exe
360	lhjlh.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
972	lhjlh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	360	lhjlh.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 972	4088	5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe	80
PID 4088 wrote to memory of 972	4088	5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe	80
PID 4088 wrote to memory of 972	4088	5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe	80
PID 972 wrote to memory of 360	972	lhjlh.exe	81
PID 972 wrote to memory of 360	972	lhjlh.exe	81
PID 972 wrote to memory of 360	972	lhjlh.exe	81
PID 972 wrote to memory of 360	972	lhjlh.exe	81

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	lhjlh.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	lhjlh.exe

C:\Users\Admin\AppData\Local\Temp\5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe
"C:\Users\Admin\AppData\Local\Temp\5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\lhjlh.exe
  "C:\Users\Admin\AppData\Local\Temp\lhjlh.exe" C:\Users\Admin\AppData\Local\Temp\bpiaurtg.lxm
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\lhjlh.exe
    "C:\Users\Admin\AppData\Local\Temp\lhjlh.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bpiaurtg.lxm

Filesize
5KB

MD5
e7c4dfe685330a359d7086353be044e3

SHA1
d77e89fb8fed3f8d393ab1626b0f04f51b102241

SHA256
7a09ad825dda413368597b65a70620d7b2c0b7f4bc4f50951e08ef944ec32e81

SHA512
470ed5b264137e582bfdadad8b2c7a11ca2179c556176146f3b35b6ff408afc2784a308e0b75132900ae72cabb30d8536842ea4f23d077f92ed282e6fe916526

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhjlh.exe

Filesize
50KB

MD5
c20b75ad041c86940589f41878af7187

SHA1
2dfb0a1b7c680157c2ae7b7a60a6c4f83bfe7c2e

SHA256
c017f5bbfdec5544845a48d05c445c5f3744ed60b60fa6b40c703a6477b8a1f7

SHA512
df10c32fbedc23fa59a90d41afac6bc679c930a793d13897d6c8a786e5dd8f67b86d294c58c56eb4d72d86c74b497ebeb1fc5d0ef444fd2f83f03a484c1caff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhjlh.exe

Filesize
50KB

MD5
c20b75ad041c86940589f41878af7187

SHA1
2dfb0a1b7c680157c2ae7b7a60a6c4f83bfe7c2e

SHA256
c017f5bbfdec5544845a48d05c445c5f3744ed60b60fa6b40c703a6477b8a1f7

SHA512
df10c32fbedc23fa59a90d41afac6bc679c930a793d13897d6c8a786e5dd8f67b86d294c58c56eb4d72d86c74b497ebeb1fc5d0ef444fd2f83f03a484c1caff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhjlh.exe

Filesize
50KB

MD5
c20b75ad041c86940589f41878af7187

SHA1
2dfb0a1b7c680157c2ae7b7a60a6c4f83bfe7c2e

SHA256
c017f5bbfdec5544845a48d05c445c5f3744ed60b60fa6b40c703a6477b8a1f7

SHA512
df10c32fbedc23fa59a90d41afac6bc679c930a793d13897d6c8a786e5dd8f67b86d294c58c56eb4d72d86c74b497ebeb1fc5d0ef444fd2f83f03a484c1caff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pjxgwrq.d

Filesize
315KB

MD5
7d6278c457fc5f516e3648533a28dfe9

SHA1
ba68478cc1326b0958a4674e1d4dd0e7e5109dc8

SHA256
4d6fc082a341a6cf1809d577d35d452496e637e4e75346b7f1ff232b236eb47c

SHA512
a5b84ae497ef8f45e5dac2ea2e6f2adfd8f4d2e5e9d382d71bed74951ba64d6c0f07a1a28903304736489577b825c99b55b1af6dd624372a2e71388e4482e1e7

Download Submit
memory/360-137-0x0000000000000000-mapping.dmp

Download
memory/360-139-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/360-140-0x0000000004AC0000-0x0000000005064000-memory.dmp

Filesize
5.6MB

Download
memory/360-141-0x0000000004A10000-0x0000000004AAC000-memory.dmp

Filesize
624KB

Download
memory/360-142-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/360-143-0x0000000005B70000-0x0000000005BC0000-memory.dmp

Filesize
320KB

Download
memory/360-144-0x0000000005D20000-0x0000000005DB2000-memory.dmp

Filesize
584KB

Download
memory/360-145-0x0000000005DE0000-0x0000000005DEA000-memory.dmp

Filesize
40KB

Download
memory/972-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing