agenttesla | 7d78782be02addab22c18c6ff2acd356af2ae00764aa07cb6f5d6ccae8849954

General

Target

INQUIRY_.exe
Size

336KB
MD5

a2ab7106ec15430a26a4cc51b8652e90
SHA1

568921c051e70728e3bda88be84229b39eb25101
SHA256

a4d3f3fee4515751a055d909feb13caa9b57b004451a7593cae493865b480e70
SHA512

a35d60cd0798142430f6d418d7f920850a05f881b38118cb586393510e29e6c14a14faca1f126c0db5e9646d21317b3368857bc68a672a966ad0040f9c14ca94
SSDEEP

6144:yYa6xrR2TNg4m+y2qUJBBMVZ8vy1cK9tU1A15sW4FKo9wxGPM3F5v:yY3Lnt2qGBe8vy1zUO15sW4FKoqxGPMr

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.bonsa.lt
Port:
587
Username:
[email protected]
Password:
201Bon@21

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bonsa.lt
Port:
587
Username:
[email protected]
Password:
201Bon@21
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
992	rankmtnsam.exe
1676	rankmtnsam.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	INQUIRY_.exe
992	rankmtnsam.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rankmtnsam.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rankmtnsam.exe
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rankmtnsam.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 992 set thread context of 1676	992	rankmtnsam.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
992	rankmtnsam.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	rankmtnsam.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 992	2040	INQUIRY_.exe	28
PID 2040 wrote to memory of 992	2040	INQUIRY_.exe	28
PID 2040 wrote to memory of 992	2040	INQUIRY_.exe	28
PID 2040 wrote to memory of 992	2040	INQUIRY_.exe	28
PID 992 wrote to memory of 1676	992	rankmtnsam.exe	29
PID 992 wrote to memory of 1676	992	rankmtnsam.exe	29
PID 992 wrote to memory of 1676	992	rankmtnsam.exe	29
PID 992 wrote to memory of 1676	992	rankmtnsam.exe	29
PID 992 wrote to memory of 1676	992	rankmtnsam.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rankmtnsam.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rankmtnsam.exe

C:\Users\Admin\AppData\Local\Temp\INQUIRY_.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY_.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\rankmtnsam.exe
  "C:\Users\Admin\AppData\Local\Temp\rankmtnsam.exe" C:\Users\Admin\AppData\Local\Temp\ythdluvvbpt.m
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Users\Admin\AppData\Local\Temp\rankmtnsam.exe
    "C:\Users\Admin\AppData\Local\Temp\rankmtnsam.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rankmtnsam.exe

Filesize
130KB

MD5
0da965d99c25571a8b067ecbf779b338

SHA1
d4439fadf4160a2238cbe60e1787a41d76f593bc

SHA256
605b20ccba6d4f9c5f6af2b9dc781b57ab1bc5ba9c459cdd9bcff90dde547e51

SHA512
6efa299e835ec22c872b5601c1cd2d38fef0a09f9ac5387b00b92d0404dd20bdf20b96479159734b8107165ab6e08c767c852c741c80eafa43579f9bfb5a7fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rankmtnsam.exe

Filesize
130KB

MD5
0da965d99c25571a8b067ecbf779b338

SHA1
d4439fadf4160a2238cbe60e1787a41d76f593bc

SHA256
605b20ccba6d4f9c5f6af2b9dc781b57ab1bc5ba9c459cdd9bcff90dde547e51

SHA512
6efa299e835ec22c872b5601c1cd2d38fef0a09f9ac5387b00b92d0404dd20bdf20b96479159734b8107165ab6e08c767c852c741c80eafa43579f9bfb5a7fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rankmtnsam.exe

Filesize
130KB

MD5
0da965d99c25571a8b067ecbf779b338

SHA1
d4439fadf4160a2238cbe60e1787a41d76f593bc

SHA256
605b20ccba6d4f9c5f6af2b9dc781b57ab1bc5ba9c459cdd9bcff90dde547e51

SHA512
6efa299e835ec22c872b5601c1cd2d38fef0a09f9ac5387b00b92d0404dd20bdf20b96479159734b8107165ab6e08c767c852c741c80eafa43579f9bfb5a7fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uqnvalxzx.sl

Filesize
265KB

MD5
02571d716b019d0bab7801022f4cc46e

SHA1
8c163e913e5b75de564ad601456542dbbced3d8d

SHA256
06bf006af30bdc6585b65542fc2925639141b0cc4aba7cecbab2d4a6b06dc371

SHA512
06eb94abe49d4cba3e838bd55a124f1c3864dd378b138a2fcb02cc1f0fc53d7dd8afe5a727431d5c4a469063f8fdcc8125547e627b1036274bf2ece4dc3b5078

Download Submit
C:\Users\Admin\AppData\Local\Temp\ythdluvvbpt.m

Filesize
5KB

MD5
3e5e2196089eb03260b88778bda5982b

SHA1
25538aad7da47bf8c300feb6637f65f1476ddd30

SHA256
43098e2984e7e7df3d29235e21ec1bc225cd5f5d33e41d2cee8fb16e59bd8697

SHA512
8ba644124c6eb69d4e35a8ef1c5b7ec69d4d979a0e2ea1f67eaf781035bd501abb6e2252ef09648e8862ca5000016993e35d8e27780968f61f6048daaf737172

Download Submit
\Users\Admin\AppData\Local\Temp\rankmtnsam.exe

Filesize
130KB

MD5
0da965d99c25571a8b067ecbf779b338

SHA1
d4439fadf4160a2238cbe60e1787a41d76f593bc

SHA256
605b20ccba6d4f9c5f6af2b9dc781b57ab1bc5ba9c459cdd9bcff90dde547e51

SHA512
6efa299e835ec22c872b5601c1cd2d38fef0a09f9ac5387b00b92d0404dd20bdf20b96479159734b8107165ab6e08c767c852c741c80eafa43579f9bfb5a7fe2

Download Submit
\Users\Admin\AppData\Local\Temp\rankmtnsam.exe

Filesize
130KB

MD5
0da965d99c25571a8b067ecbf779b338

SHA1
d4439fadf4160a2238cbe60e1787a41d76f593bc

SHA256
605b20ccba6d4f9c5f6af2b9dc781b57ab1bc5ba9c459cdd9bcff90dde547e51

SHA512
6efa299e835ec22c872b5601c1cd2d38fef0a09f9ac5387b00b92d0404dd20bdf20b96479159734b8107165ab6e08c767c852c741c80eafa43579f9bfb5a7fe2

Download Submit
memory/1676-66-0x0000000000340000-0x0000000000370000-memory.dmp

Filesize
192KB

Download
memory/1676-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2040-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads