agenttesla | 08477ca70902dc2098c13b61d3661c0defe17a1e42195cdc6b1bdb7af2d98e2d

Analysis

max time kernel
42s
max time network
139s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13/02/2023, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Meidoh RFQ IND.2023.exe
Size

332KB
MD5

889ce644fc58e8493c76fdc886340bb9
SHA1

11826787f0f2fcf9d2c959b9e992f1639b4938ba
SHA256

08477ca70902dc2098c13b61d3661c0defe17a1e42195cdc6b1bdb7af2d98e2d
SHA512

5c7331db00b0188e5db661061bf7d4bb426d51906e4193e3e6ff588089b335ab0f4c6aa2a8f02efc79b3b41405c2e44a2385f97d828cba481ad7f4474d6d2d34
SSDEEP

6144:vYa6vOKlv2G7Pqj+tDlfhnQjbNKA/eYaLJMqTqoFZOR79j208j:vYtxlv28qjYDpn/XTJ27R8j

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.azmlogistics.com
Port:
587
Username:
[email protected]
Password:
cJ0Py0z8]6@U
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 4 IoCs

pid	Process
1656	zzcfkgjqz.exe
1496	zzcfkgjqz.exe
1584	zzcfkgjqz.exe
1492	zzcfkgjqz.exe

Loads dropped DLL 4 IoCs

pid	Process
1956	Meidoh RFQ IND.2023.exe
1656	zzcfkgjqz.exe
1656	zzcfkgjqz.exe
1656	zzcfkgjqz.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzcfkgjqz.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzcfkgjqz.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzcfkgjqz.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1656 set thread context of 1492	1656	zzcfkgjqz.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1656	zzcfkgjqz.exe
1656	zzcfkgjqz.exe
1656	zzcfkgjqz.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	zzcfkgjqz.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1492	zzcfkgjqz.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1656	1956	Meidoh RFQ IND.2023.exe	28
PID 1956 wrote to memory of 1656	1956	Meidoh RFQ IND.2023.exe	28
PID 1956 wrote to memory of 1656	1956	Meidoh RFQ IND.2023.exe	28
PID 1956 wrote to memory of 1656	1956	Meidoh RFQ IND.2023.exe	28
PID 1656 wrote to memory of 1496	1656	zzcfkgjqz.exe	29
PID 1656 wrote to memory of 1496	1656	zzcfkgjqz.exe	29
PID 1656 wrote to memory of 1496	1656	zzcfkgjqz.exe	29
PID 1656 wrote to memory of 1496	1656	zzcfkgjqz.exe	29
PID 1656 wrote to memory of 1584	1656	zzcfkgjqz.exe	30
PID 1656 wrote to memory of 1584	1656	zzcfkgjqz.exe	30
PID 1656 wrote to memory of 1584	1656	zzcfkgjqz.exe	30
PID 1656 wrote to memory of 1584	1656	zzcfkgjqz.exe	30
PID 1656 wrote to memory of 1492	1656	zzcfkgjqz.exe	31
PID 1656 wrote to memory of 1492	1656	zzcfkgjqz.exe	31
PID 1656 wrote to memory of 1492	1656	zzcfkgjqz.exe	31
PID 1656 wrote to memory of 1492	1656	zzcfkgjqz.exe	31
PID 1656 wrote to memory of 1492	1656	zzcfkgjqz.exe	31

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzcfkgjqz.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	zzcfkgjqz.exe

C:\Users\Admin\AppData\Local\Temp\Meidoh RFQ IND.2023.exe
"C:\Users\Admin\AppData\Local\Temp\Meidoh RFQ IND.2023.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe
  "C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe" C:\Users\Admin\AppData\Local\Temp\karsrcsvmxh.ar
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe
    "C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe"
    3⤵
    - Executes dropped EXE
    PID:1496
- - C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe
    "C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe"
    3⤵
    - Executes dropped EXE
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe
    "C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:1492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\karsrcsvmxh.ar

Filesize
5KB

MD5
a72e06ecc61cfb2d6dc459f5bf08a6cb

SHA1
0dbfb696b1a3cda398abf4fdb8527f0c9291022e

SHA256
b2588bf0d3e8725bc36e62c12f26158e2c8630f389c7cc01916919166331bfd9

SHA512
753c145826dc36cc27b2c6e04e08c419421dadb3cc0cfb191429f9e4eed8cfef39f1b4fab0bcf2b9f0dd7163fc75b56e731680cd60471291688d55e23392c2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdgdwhjcr.qc

Filesize
262KB

MD5
d5222e7a13fee24630ab86c5ee61d234

SHA1
ed4c7da3651392a1bff099687776a44d1c5ce96e

SHA256
9097142407632b96c671774ece05e5025b13f84e479dee9ff1bcbb5dd6ac6ca1

SHA512
22eab92dfc4c45acb7e5cb47b6af9a3dec51f0f69b9b595081bd263cc4b4e43ea0cc79d71ec9795f8483ed1de25ad867b5262757f993dbceb61d495295db4af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe

Filesize
141KB

MD5
e50e42d6b3cafaa89632a254ada334cb

SHA1
7bb8e821f5bfba782420728fb2eb11ad4c89cc39

SHA256
eeae28f209110b937fda2c7dd87e41e369d7783cac51a893a4431f0214fa94f9

SHA512
f3b089c0b9e3eefb29b6e5ea9588eba92d7769583a76f3d32d693bb44df873b10e285ff6c538bcf4d36b76ad5816f94d8c2f6121f4919dacb72e9109347bb436

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe

Filesize
141KB

MD5
e50e42d6b3cafaa89632a254ada334cb

SHA1
7bb8e821f5bfba782420728fb2eb11ad4c89cc39

SHA256
eeae28f209110b937fda2c7dd87e41e369d7783cac51a893a4431f0214fa94f9

SHA512
f3b089c0b9e3eefb29b6e5ea9588eba92d7769583a76f3d32d693bb44df873b10e285ff6c538bcf4d36b76ad5816f94d8c2f6121f4919dacb72e9109347bb436

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe

Filesize
141KB

MD5
e50e42d6b3cafaa89632a254ada334cb

SHA1
7bb8e821f5bfba782420728fb2eb11ad4c89cc39

SHA256
eeae28f209110b937fda2c7dd87e41e369d7783cac51a893a4431f0214fa94f9

SHA512
f3b089c0b9e3eefb29b6e5ea9588eba92d7769583a76f3d32d693bb44df873b10e285ff6c538bcf4d36b76ad5816f94d8c2f6121f4919dacb72e9109347bb436

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe

Filesize
141KB

MD5
e50e42d6b3cafaa89632a254ada334cb

SHA1
7bb8e821f5bfba782420728fb2eb11ad4c89cc39

SHA256
eeae28f209110b937fda2c7dd87e41e369d7783cac51a893a4431f0214fa94f9

SHA512
f3b089c0b9e3eefb29b6e5ea9588eba92d7769583a76f3d32d693bb44df873b10e285ff6c538bcf4d36b76ad5816f94d8c2f6121f4919dacb72e9109347bb436

Download Submit
C:\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe

Filesize
141KB

MD5
e50e42d6b3cafaa89632a254ada334cb

SHA1
7bb8e821f5bfba782420728fb2eb11ad4c89cc39

SHA256
eeae28f209110b937fda2c7dd87e41e369d7783cac51a893a4431f0214fa94f9

SHA512
f3b089c0b9e3eefb29b6e5ea9588eba92d7769583a76f3d32d693bb44df873b10e285ff6c538bcf4d36b76ad5816f94d8c2f6121f4919dacb72e9109347bb436

Download Submit
\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe

Filesize
141KB

MD5
e50e42d6b3cafaa89632a254ada334cb

SHA1
7bb8e821f5bfba782420728fb2eb11ad4c89cc39

SHA256
eeae28f209110b937fda2c7dd87e41e369d7783cac51a893a4431f0214fa94f9

SHA512
f3b089c0b9e3eefb29b6e5ea9588eba92d7769583a76f3d32d693bb44df873b10e285ff6c538bcf4d36b76ad5816f94d8c2f6121f4919dacb72e9109347bb436

Download Submit
\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe

Filesize
141KB

MD5
e50e42d6b3cafaa89632a254ada334cb

SHA1
7bb8e821f5bfba782420728fb2eb11ad4c89cc39

SHA256
eeae28f209110b937fda2c7dd87e41e369d7783cac51a893a4431f0214fa94f9

SHA512
f3b089c0b9e3eefb29b6e5ea9588eba92d7769583a76f3d32d693bb44df873b10e285ff6c538bcf4d36b76ad5816f94d8c2f6121f4919dacb72e9109347bb436

Download Submit
\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe

Filesize
141KB

MD5
e50e42d6b3cafaa89632a254ada334cb

SHA1
7bb8e821f5bfba782420728fb2eb11ad4c89cc39

SHA256
eeae28f209110b937fda2c7dd87e41e369d7783cac51a893a4431f0214fa94f9

SHA512
f3b089c0b9e3eefb29b6e5ea9588eba92d7769583a76f3d32d693bb44df873b10e285ff6c538bcf4d36b76ad5816f94d8c2f6121f4919dacb72e9109347bb436

Download Submit
\Users\Admin\AppData\Local\Temp\zzcfkgjqz.exe

Filesize
141KB

MD5
e50e42d6b3cafaa89632a254ada334cb

SHA1
7bb8e821f5bfba782420728fb2eb11ad4c89cc39

SHA256
eeae28f209110b937fda2c7dd87e41e369d7783cac51a893a4431f0214fa94f9

SHA512
f3b089c0b9e3eefb29b6e5ea9588eba92d7769583a76f3d32d693bb44df873b10e285ff6c538bcf4d36b76ad5816f94d8c2f6121f4919dacb72e9109347bb436

Download Submit
memory/1492-70-0x00000000005E0000-0x0000000000610000-memory.dmp

Filesize
192KB

Download
memory/1492-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1956-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download