agenttesla | 1284db12c0efe2e484f2bcef4c09290cb9cb82e381c366ae3a157ecd4eb317cb

General

Target

SHIPPING DOC.exe
Size

316KB
MD5

f599c7627641d32ff2d9a10552534048
SHA1

119b80734a53b6b376d6de1a65e0e6f373f5263e
SHA256

d6b1eec8bc20f67e635ce3b33938775757508384db07f1df35e4d09959f8cb6c
SHA512

2bceb2478e83bf755081d51f0b3aa7ae63508136b2cae64667a2113291aa2510a7dca8c0533b8e9f86cb44744d5a4f7efebb79558b50b3871065b22e7db341a1
SSDEEP

6144:vYa62iNhj3U6eYpDes+cfrSVAxmbUR853wVZe5hN15vraMCTGGHWtsxE:vYIiNFEApD5fdYwm5hprsT/NxE

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.strictfacilityservices.com
Port:
587
Username:
[email protected]
Password:
SFS!@#321
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
1628	ggtuw.exe
296	ggtuw.exe

Loads dropped DLL 3 IoCs

pid	Process
1112	SHIPPING DOC.exe
1112	SHIPPING DOC.exe
1628	ggtuw.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ggtuw.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ggtuw.exe
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ggtuw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 296	1628	ggtuw.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1628	ggtuw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	296	ggtuw.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1628	1112	SHIPPING DOC.exe	28
PID 1112 wrote to memory of 1628	1112	SHIPPING DOC.exe	28
PID 1112 wrote to memory of 1628	1112	SHIPPING DOC.exe	28
PID 1112 wrote to memory of 1628	1112	SHIPPING DOC.exe	28
PID 1628 wrote to memory of 296	1628	ggtuw.exe	29
PID 1628 wrote to memory of 296	1628	ggtuw.exe	29
PID 1628 wrote to memory of 296	1628	ggtuw.exe	29
PID 1628 wrote to memory of 296	1628	ggtuw.exe	29
PID 1628 wrote to memory of 296	1628	ggtuw.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ggtuw.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ggtuw.exe

C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\ggtuw.exe
  "C:\Users\Admin\AppData\Local\Temp\ggtuw.exe" C:\Users\Admin\AppData\Local\Temp\uwkzbbszzk.hoa
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Users\Admin\AppData\Local\Temp\ggtuw.exe
    "C:\Users\Admin\AppData\Local\Temp\ggtuw.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ggtuw.exe

Filesize
120KB

MD5
2b21de6c8e9e34ca05507c3b4c915804

SHA1
24d8d94d28a9c8b5c920e9221247439bf580a342

SHA256
0e892f39241d31deb84ad7dc7e2634486b7fa5e03423f7d308e5804c10551cbe

SHA512
10876f0b3aa9b14618f17e6cf2bde595487e3dd30513f3538ce25bef1c71bbfbf157c9fe075b748183a45928b64a0d016c776d824b4e8fa7e083ae7341a4a78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggtuw.exe

Filesize
120KB

MD5
2b21de6c8e9e34ca05507c3b4c915804

SHA1
24d8d94d28a9c8b5c920e9221247439bf580a342

SHA256
0e892f39241d31deb84ad7dc7e2634486b7fa5e03423f7d308e5804c10551cbe

SHA512
10876f0b3aa9b14618f17e6cf2bde595487e3dd30513f3538ce25bef1c71bbfbf157c9fe075b748183a45928b64a0d016c776d824b4e8fa7e083ae7341a4a78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggtuw.exe

Filesize
120KB

MD5
2b21de6c8e9e34ca05507c3b4c915804

SHA1
24d8d94d28a9c8b5c920e9221247439bf580a342

SHA256
0e892f39241d31deb84ad7dc7e2634486b7fa5e03423f7d308e5804c10551cbe

SHA512
10876f0b3aa9b14618f17e6cf2bde595487e3dd30513f3538ce25bef1c71bbfbf157c9fe075b748183a45928b64a0d016c776d824b4e8fa7e083ae7341a4a78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkktt.fm

Filesize
262KB

MD5
3c0659ce1a6b1dc0390d3a5d3d75cbd2

SHA1
8db7fdb3e1fb663fb91a96141d20cf90c4c3cc6a

SHA256
035dea98cc426145f98a2da55d13591e1e8f48aa2d1a8fc00dad04d2252bac07

SHA512
3e67a40f9d6a14b01edfa4637a4e5d0c9cb9f197d42e99719e54d7816acd5e8cfbd2e247f14074cc376d00ce8ad57e0a39a3102c620868e8329f949702fdbff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uwkzbbszzk.hoa

Filesize
5KB

MD5
4e9fd3e2a6d175f50fcfeade3ae33768

SHA1
39154603712a95b30c74b2a82fa6574800450813

SHA256
2f7cec1229a48459c8170f6f41b6742e09e95774591adb7beeff7888ebf08a9c

SHA512
8a7b7532c09fa9e37e69d82018413f8b40327728dcab1342a1028c8167873fa8b98a3dc3e2c89aef9e42912523276ad814236f8219f9718de2297935de83f0f2

Download Submit
\Users\Admin\AppData\Local\Temp\ggtuw.exe

Filesize
120KB

MD5
2b21de6c8e9e34ca05507c3b4c915804

SHA1
24d8d94d28a9c8b5c920e9221247439bf580a342

SHA256
0e892f39241d31deb84ad7dc7e2634486b7fa5e03423f7d308e5804c10551cbe

SHA512
10876f0b3aa9b14618f17e6cf2bde595487e3dd30513f3538ce25bef1c71bbfbf157c9fe075b748183a45928b64a0d016c776d824b4e8fa7e083ae7341a4a78a

Download Submit
\Users\Admin\AppData\Local\Temp\ggtuw.exe

Filesize
120KB

MD5
2b21de6c8e9e34ca05507c3b4c915804

SHA1
24d8d94d28a9c8b5c920e9221247439bf580a342

SHA256
0e892f39241d31deb84ad7dc7e2634486b7fa5e03423f7d308e5804c10551cbe

SHA512
10876f0b3aa9b14618f17e6cf2bde595487e3dd30513f3538ce25bef1c71bbfbf157c9fe075b748183a45928b64a0d016c776d824b4e8fa7e083ae7341a4a78a

Download Submit
\Users\Admin\AppData\Local\Temp\ggtuw.exe

Filesize
120KB

MD5
2b21de6c8e9e34ca05507c3b4c915804

SHA1
24d8d94d28a9c8b5c920e9221247439bf580a342

SHA256
0e892f39241d31deb84ad7dc7e2634486b7fa5e03423f7d308e5804c10551cbe

SHA512
10876f0b3aa9b14618f17e6cf2bde595487e3dd30513f3538ce25bef1c71bbfbf157c9fe075b748183a45928b64a0d016c776d824b4e8fa7e083ae7341a4a78a

Download Submit
memory/296-63-0x0000000000401896-mapping.dmp

Download
memory/296-66-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/296-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-54-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1628-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing