agenttesla | 5b9beaf5bcc7cdcf72bf643b20bb15027536aae92fa0f33cdffbd02cf7297cbb

General

Target

Re Overdue_2022 & payment reminder.exe
Size

899KB
MD5

65f91978b009e38d5c12c1c8e6b750d9
SHA1

b2706dbbe0a417030e9288851276113a4ff59fc5
SHA256

5b9beaf5bcc7cdcf72bf643b20bb15027536aae92fa0f33cdffbd02cf7297cbb
SHA512

25c660e2f807b87f29caca8d322398e0ab40e0705be7a9220aea1c09bea9142a64514919eb962c4ab373b17821df8afe2d144371f5278fd3db582cc0a6b2a254
SSDEEP

24576:RMRYTynuUNAisQeKddJgQQhTL6lCueDm:zQzXWhKCuea

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bosphoreqroup.com
Port:
587
Username:
[email protected]
Password:
password2022@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\yGbzOMp = "C:\\Users\\Admin\\AppData\\Roaming\\yGbzOMp\\yGbzOMp.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1276 set thread context of 952	1276	Re Overdue_2022 & payment reminder.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1276	Re Overdue_2022 & payment reminder.exe
1276	Re Overdue_2022 & payment reminder.exe
1276	Re Overdue_2022 & payment reminder.exe
524	powershell.exe
572	powershell.exe
1276	Re Overdue_2022 & payment reminder.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	Re Overdue_2022 & payment reminder.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	952	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 572	1276	Re Overdue_2022 & payment reminder.exe	27
PID 1276 wrote to memory of 572	1276	Re Overdue_2022 & payment reminder.exe	27
PID 1276 wrote to memory of 572	1276	Re Overdue_2022 & payment reminder.exe	27
PID 1276 wrote to memory of 572	1276	Re Overdue_2022 & payment reminder.exe	27
PID 1276 wrote to memory of 524	1276	Re Overdue_2022 & payment reminder.exe	29
PID 1276 wrote to memory of 524	1276	Re Overdue_2022 & payment reminder.exe	29
PID 1276 wrote to memory of 524	1276	Re Overdue_2022 & payment reminder.exe	29
PID 1276 wrote to memory of 524	1276	Re Overdue_2022 & payment reminder.exe	29
PID 1276 wrote to memory of 1696	1276	Re Overdue_2022 & payment reminder.exe	31
PID 1276 wrote to memory of 1696	1276	Re Overdue_2022 & payment reminder.exe	31
PID 1276 wrote to memory of 1696	1276	Re Overdue_2022 & payment reminder.exe	31
PID 1276 wrote to memory of 1696	1276	Re Overdue_2022 & payment reminder.exe	31
PID 1276 wrote to memory of 952	1276	Re Overdue_2022 & payment reminder.exe	33
PID 1276 wrote to memory of 952	1276	Re Overdue_2022 & payment reminder.exe	33
PID 1276 wrote to memory of 952	1276	Re Overdue_2022 & payment reminder.exe	33
PID 1276 wrote to memory of 952	1276	Re Overdue_2022 & payment reminder.exe	33
PID 1276 wrote to memory of 952	1276	Re Overdue_2022 & payment reminder.exe	33
PID 1276 wrote to memory of 952	1276	Re Overdue_2022 & payment reminder.exe	33
PID 1276 wrote to memory of 952	1276	Re Overdue_2022 & payment reminder.exe	33
PID 1276 wrote to memory of 952	1276	Re Overdue_2022 & payment reminder.exe	33
PID 1276 wrote to memory of 952	1276	Re Overdue_2022 & payment reminder.exe	33
PID 1276 wrote to memory of 952	1276	Re Overdue_2022 & payment reminder.exe	33
PID 1276 wrote to memory of 952	1276	Re Overdue_2022 & payment reminder.exe	33
PID 1276 wrote to memory of 952	1276	Re Overdue_2022 & payment reminder.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Re Overdue_2022 & payment reminder.exe
"C:\Users\Admin\AppData\Local\Temp\Re Overdue_2022 & payment reminder.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Re Overdue_2022 & payment reminder.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mZohOAEGFL.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZohOAEGFL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA12.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEA12.tmp

Filesize
1KB

MD5
2ac1b955cb86f0f4f453ee3fb8020673

SHA1
05d90f3511af1e2dbd72a43cea40d0bd11311d54

SHA256
d73a29cb64a96a3c3cdc05f57710e947b738de7efa7a06c61c16bd7aa48f0129

SHA512
881178ce3ae1c808d90055a56f25badb352b095fac8e939247ca31e31f72f9c6ff1f8bc3c9032c3612dd943f5010b4ecd0e4d712d5e156e174657470270ae517

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
26377cab800dd3a81f80c8f67c5118de

SHA1
029121135b05b2b314afdaabec380f0dde085d19

SHA256
517f9aa2a003b8c3994b847f10c612f2da227a30592056f5cd1d48fade286577

SHA512
2ece126ea6d9726d3c162e7b0243add49a7f1b77e3521a5b2922978d7c22f107937ae442a76db95eeddf877338168e76bf530e78e56244523a3d13703aeb16ec

Download Submit
memory/524-82-0x000000006E480000-0x000000006EA2B000-memory.dmp

Filesize
5.7MB

Download
memory/524-79-0x000000006E480000-0x000000006EA2B000-memory.dmp

Filesize
5.7MB

Download
memory/572-81-0x000000006E480000-0x000000006EA2B000-memory.dmp

Filesize
5.7MB

Download
memory/572-80-0x000000006E480000-0x000000006EA2B000-memory.dmp

Filesize
5.7MB

Download
memory/952-72-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/952-77-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/952-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/952-67-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/952-68-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/952-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/952-71-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1276-54-0x00000000003F0000-0x00000000004D6000-memory.dmp

Filesize
920KB

Download
memory/1276-66-0x0000000004D70000-0x0000000004DB8000-memory.dmp

Filesize
288KB

Download
memory/1276-58-0x0000000005560000-0x0000000005600000-memory.dmp

Filesize
640KB

Download
memory/1276-57-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/1276-56-0x0000000000540000-0x0000000000554000-memory.dmp

Filesize
80KB

Download
memory/1276-55-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads