agenttesla | a48b89e4588185e7323c37169bedd210f6fa429c0344906ab4decd46e31e9dff

General

Target

QUOTES_S.exe
Size

410KB
MD5

d0f0167747de9e85ece81cef22a569d7
SHA1

aeacddd1050c347e4ac27fdc65a2d7d5422c95e1
SHA256

894ca1dfeebe51eb320bd38a7da02c17e1937477a44cd4e8cf008f7a44fa7c3e
SHA512

90d58c5f8207d9bbf8a147edb6be2d0b4d676a34619d6e85736de3f5de938ee3fc7195883edfabfdec38f63ef03edce6faa0140a42a429e8fae3bb160543677f
SSDEEP

12288:yYXVBHN4C8x0ks0Ouuahj69YeeDtK0Y5tIv3G:yYXVBL8uks0OuNj69beY0Yov3G

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.ravv.sk
Port:
587
Username:
[email protected]
Password:
bfE#vKaMi#

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
596	sdjhwceq.exe
940	sdjhwceq.exe

Loads dropped DLL 2 IoCs

pid	Process
1044	QUOTES_S.exe
596	sdjhwceq.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sdjhwceq.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sdjhwceq.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sdjhwceq.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 596 set thread context of 940	596	sdjhwceq.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
596	sdjhwceq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	sdjhwceq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 596	1044	QUOTES_S.exe	27
PID 1044 wrote to memory of 596	1044	QUOTES_S.exe	27
PID 1044 wrote to memory of 596	1044	QUOTES_S.exe	27
PID 1044 wrote to memory of 596	1044	QUOTES_S.exe	27
PID 596 wrote to memory of 940	596	sdjhwceq.exe	28
PID 596 wrote to memory of 940	596	sdjhwceq.exe	28
PID 596 wrote to memory of 940	596	sdjhwceq.exe	28
PID 596 wrote to memory of 940	596	sdjhwceq.exe	28
PID 596 wrote to memory of 940	596	sdjhwceq.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sdjhwceq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sdjhwceq.exe

C:\Users\Admin\AppData\Local\Temp\QUOTES_S.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTES_S.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\sdjhwceq.exe
  "C:\Users\Admin\AppData\Local\Temp\sdjhwceq.exe" C:\Users\Admin\AppData\Local\Temp\hdoiu.jyv
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Users\Admin\AppData\Local\Temp\sdjhwceq.exe
    "C:\Users\Admin\AppData\Local\Temp\sdjhwceq.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpzggrmhcfn.w

Filesize
265KB

MD5
cf5fac3b51c7865c93e78ffade1c45a7

SHA1
7adfdb32526790e7bfb740f4dee5e58ec8eab5d8

SHA256
4a3357158f4612d3a1ce77bbf28e43f9ba5bd74ca7dd3a23a66eab77ff043687

SHA512
03f5f778c7c47ce4c28482efa50c3b6a7cbfc5d01b54b88df5e4b4091811a7b02d016bd4ee5a1318618d4ef2eb296dff7eadb462a3d419af1c31feb616c40c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdoiu.jyv

Filesize
5KB

MD5
8106dba78c7fa7b34219e271755c0fb8

SHA1
70f8c546f2d1e148d29d5ed35d29d12bcefb1b8c

SHA256
93b02fca044b58110594a582c76e6a334a4ee3de1a07c96f7448c73575da1241

SHA512
67ee5d57729c80cf9985827f95d1e3efd969fc7acc26113319dd0ca26e8302c11d4bb218683636300b5390aac2a81928b4d8510bfe04b5ac437033e01abc7b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdjhwceq.exe

Filesize
361KB

MD5
291e78e8cb84b508b91361d3e66bc90c

SHA1
91fa0e8de8d4e22f8a816f6a3cdd6dd5de6672d8

SHA256
a051234f29631277535b60e99bc4c404c6693838638050e3d16d6048d1edfb17

SHA512
b8d23b7e507f3a912cd3559457391d482dbac803980040eabfe7c218627713abe5916a3e38b9879dc6b1611343abe78dc6a2e418c0ac05109975fa49e2d0fb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdjhwceq.exe

Filesize
361KB

MD5
291e78e8cb84b508b91361d3e66bc90c

SHA1
91fa0e8de8d4e22f8a816f6a3cdd6dd5de6672d8

SHA256
a051234f29631277535b60e99bc4c404c6693838638050e3d16d6048d1edfb17

SHA512
b8d23b7e507f3a912cd3559457391d482dbac803980040eabfe7c218627713abe5916a3e38b9879dc6b1611343abe78dc6a2e418c0ac05109975fa49e2d0fb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdjhwceq.exe

Filesize
361KB

MD5
291e78e8cb84b508b91361d3e66bc90c

SHA1
91fa0e8de8d4e22f8a816f6a3cdd6dd5de6672d8

SHA256
a051234f29631277535b60e99bc4c404c6693838638050e3d16d6048d1edfb17

SHA512
b8d23b7e507f3a912cd3559457391d482dbac803980040eabfe7c218627713abe5916a3e38b9879dc6b1611343abe78dc6a2e418c0ac05109975fa49e2d0fb18

Download Submit
\Users\Admin\AppData\Local\Temp\sdjhwceq.exe

Filesize
361KB

MD5
291e78e8cb84b508b91361d3e66bc90c

SHA1
91fa0e8de8d4e22f8a816f6a3cdd6dd5de6672d8

SHA256
a051234f29631277535b60e99bc4c404c6693838638050e3d16d6048d1edfb17

SHA512
b8d23b7e507f3a912cd3559457391d482dbac803980040eabfe7c218627713abe5916a3e38b9879dc6b1611343abe78dc6a2e418c0ac05109975fa49e2d0fb18

Download Submit
\Users\Admin\AppData\Local\Temp\sdjhwceq.exe

Filesize
361KB

MD5
291e78e8cb84b508b91361d3e66bc90c

SHA1
91fa0e8de8d4e22f8a816f6a3cdd6dd5de6672d8

SHA256
a051234f29631277535b60e99bc4c404c6693838638050e3d16d6048d1edfb17

SHA512
b8d23b7e507f3a912cd3559457391d482dbac803980040eabfe7c218627713abe5916a3e38b9879dc6b1611343abe78dc6a2e418c0ac05109975fa49e2d0fb18

Download Submit
memory/940-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/940-66-0x00000000001A0000-0x00000000001D0000-memory.dmp

Filesize
192KB

Download
memory/1044-54-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing