agenttesla | 18b67c097448c87c28b96f9f00843bd58c8da0d2866bc69aaa5bf308d785c400

General

Target

18b67c097448c87c28b96f9f00843bd58c8da0d2866bc69aaa5bf308d785c400.exe
Size

321KB
MD5

66d479cf6b2398a9453889ad83ba17ad
SHA1

163183fa2cf907106ea82a4ec3a23e0799a44861
SHA256

18b67c097448c87c28b96f9f00843bd58c8da0d2866bc69aaa5bf308d785c400
SHA512

36c1551c000f0619bab0385f36d0d85285bb80214702a8a30202f8a9cc4e1004451bb41748e609a63cc647e8c9ff2e84b57f86659ce387255424708afd593caa
SSDEEP

6144:vYa6QsHhmMk/7K5j+70H+CkvuKZfw16P1AqVgRm1iM8ws:vYusHhXguJeCmy16NT8m1u

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1060497255888605185/YygDHRiwYqCp3BheuMa5Zliz-2yRI2G-aeR8nFUp8XCSIhCp4S0uU66B1TLkMA0rIykw

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
2036	eaflilqov.exe
1716	eaflilqov.exe

Loads dropped DLL 2 IoCs

pid	Process
1308	18b67c097448c87c28b96f9f00843bd58c8da0d2866bc69aaa5bf308d785c400.exe
2036	eaflilqov.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eaflilqov.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eaflilqov.exe
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eaflilqov.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\vuvfqr = "C:\\Users\\Admin\\AppData\\Roaming\\uuhxgm\\vaqsevqiyxf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\eaflilqov.exe\" C:\\Users\\Admin\\AppData\\Loc"	eaflilqov.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 1716	2036	eaflilqov.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2036	eaflilqov.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	eaflilqov.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2036	1308	18b67c097448c87c28b96f9f00843bd58c8da0d2866bc69aaa5bf308d785c400.exe	27
PID 1308 wrote to memory of 2036	1308	18b67c097448c87c28b96f9f00843bd58c8da0d2866bc69aaa5bf308d785c400.exe	27
PID 1308 wrote to memory of 2036	1308	18b67c097448c87c28b96f9f00843bd58c8da0d2866bc69aaa5bf308d785c400.exe	27
PID 1308 wrote to memory of 2036	1308	18b67c097448c87c28b96f9f00843bd58c8da0d2866bc69aaa5bf308d785c400.exe	27
PID 2036 wrote to memory of 1716	2036	eaflilqov.exe	28
PID 2036 wrote to memory of 1716	2036	eaflilqov.exe	28
PID 2036 wrote to memory of 1716	2036	eaflilqov.exe	28
PID 2036 wrote to memory of 1716	2036	eaflilqov.exe	28
PID 2036 wrote to memory of 1716	2036	eaflilqov.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eaflilqov.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	eaflilqov.exe

C:\Users\Admin\AppData\Local\Temp\18b67c097448c87c28b96f9f00843bd58c8da0d2866bc69aaa5bf308d785c400.exe
"C:\Users\Admin\AppData\Local\Temp\18b67c097448c87c28b96f9f00843bd58c8da0d2866bc69aaa5bf308d785c400.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\eaflilqov.exe
  "C:\Users\Admin\AppData\Local\Temp\eaflilqov.exe" C:\Users\Admin\AppData\Local\Temp\okxpwbsslq.inq
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\eaflilqov.exe
    "C:\Users\Admin\AppData\Local\Temp\eaflilqov.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eaflilqov.exe

Filesize
113KB

MD5
9ced96931627697ff3dcfe2ecfab287f

SHA1
6173a5de9a10178142272aceef7269987ee8facc

SHA256
93d6ffecdc1a61749b3b0c669e6c10c21234269583d368c4f2a0b41aeeb9422c

SHA512
540306d19eba4d58db51b9892e8afb514d1f78664e5a0c8062f6fc0049d9f610c5fbbbd2a82859523cf083c27e78407430a4195f19437579a2d616f0f70a13b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaflilqov.exe

Filesize
113KB

MD5
9ced96931627697ff3dcfe2ecfab287f

SHA1
6173a5de9a10178142272aceef7269987ee8facc

SHA256
93d6ffecdc1a61749b3b0c669e6c10c21234269583d368c4f2a0b41aeeb9422c

SHA512
540306d19eba4d58db51b9892e8afb514d1f78664e5a0c8062f6fc0049d9f610c5fbbbd2a82859523cf083c27e78407430a4195f19437579a2d616f0f70a13b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaflilqov.exe

Filesize
113KB

MD5
9ced96931627697ff3dcfe2ecfab287f

SHA1
6173a5de9a10178142272aceef7269987ee8facc

SHA256
93d6ffecdc1a61749b3b0c669e6c10c21234269583d368c4f2a0b41aeeb9422c

SHA512
540306d19eba4d58db51b9892e8afb514d1f78664e5a0c8062f6fc0049d9f610c5fbbbd2a82859523cf083c27e78407430a4195f19437579a2d616f0f70a13b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixtugxr.q

Filesize
263KB

MD5
b66159b3f4217c60cfa3ced64c3e6b52

SHA1
c40a02ef216dcc0d32361af2d8660d0a932a6078

SHA256
49633741d24c2a679215623d925b46140940d1178453bc5edea44a818e665c7c

SHA512
91b92050c627093e1bee0ca0e6f33abe5b859f9126b7801a2f044bc97846140f57057634dce2a35cd6d57be7b4e195eb7bdae02ae3b6c99e996db6f91b966e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\okxpwbsslq.inq

Filesize
7KB

MD5
a9b83b6104f77020a48a31d7d93be363

SHA1
9333b354ece02de825fffac2ff6083fccc14a612

SHA256
7bdebba10093f08d6d748a210d50726d1eef854e2bdcb0954de86062881558a0

SHA512
5089310d1d9d91e97001649aae06481a12058f8de5e50f2ac8e77f574de244416dc466a7f0f337cb8c4936e1440f486b05915a28ecb10b3a59b19e8acd2d7685

Download Submit
\Users\Admin\AppData\Local\Temp\eaflilqov.exe

Filesize
113KB

MD5
9ced96931627697ff3dcfe2ecfab287f

SHA1
6173a5de9a10178142272aceef7269987ee8facc

SHA256
93d6ffecdc1a61749b3b0c669e6c10c21234269583d368c4f2a0b41aeeb9422c

SHA512
540306d19eba4d58db51b9892e8afb514d1f78664e5a0c8062f6fc0049d9f610c5fbbbd2a82859523cf083c27e78407430a4195f19437579a2d616f0f70a13b4

Download Submit
\Users\Admin\AppData\Local\Temp\eaflilqov.exe

Filesize
113KB

MD5
9ced96931627697ff3dcfe2ecfab287f

SHA1
6173a5de9a10178142272aceef7269987ee8facc

SHA256
93d6ffecdc1a61749b3b0c669e6c10c21234269583d368c4f2a0b41aeeb9422c

SHA512
540306d19eba4d58db51b9892e8afb514d1f78664e5a0c8062f6fc0049d9f610c5fbbbd2a82859523cf083c27e78407430a4195f19437579a2d616f0f70a13b4

Download Submit
memory/1308-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1716-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1716-67-0x00000000005E0000-0x0000000000610000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing