agenttesla | 3501fab918546fffee74834af6c02aec8786e608b01e4f1e5e07cfe45eec4863

General

Target

Proforma Invoice.exe
Size

322KB
MD5

39a3f3f36471b8064000154bf44762a0
SHA1

c6bb39e8ee508627d5b435b2ea9b505964991263
SHA256

0175f9a98f786c8a0e17740295f11039984f9e43354657e68e4bcedcccdc6316
SHA512

2fc399372ae14a49316476283988eeee68e53f78ed7db5e34807c874e8bf3f9fb71d401ced74a06116348f02f8a07f297bfbef8af3427c5aaf1466e00596162e
SSDEEP

6144:vYa6qiLjxo4IbCz18MuEduwGFbV8WjzCovDwldKfSv1acG2i+Ilmh:vYsgxqbCzLqwGFbqWiYwldKfSbG2iGh

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
focuzpartsmart.com
Port:
587
Username:
[email protected]
Password:
FpmJhn@2023
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
1280	gzxrzbpa.exe
844	gzxrzbpa.exe

Loads dropped DLL 2 IoCs

pid	Process
2032	Proforma Invoice.exe
1280	gzxrzbpa.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gzxrzbpa.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gzxrzbpa.exe
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gzxrzbpa.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1280 set thread context of 844	1280	gzxrzbpa.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1280	gzxrzbpa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	gzxrzbpa.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1280	2032	Proforma Invoice.exe	27
PID 2032 wrote to memory of 1280	2032	Proforma Invoice.exe	27
PID 2032 wrote to memory of 1280	2032	Proforma Invoice.exe	27
PID 2032 wrote to memory of 1280	2032	Proforma Invoice.exe	27
PID 1280 wrote to memory of 844	1280	gzxrzbpa.exe	28
PID 1280 wrote to memory of 844	1280	gzxrzbpa.exe	28
PID 1280 wrote to memory of 844	1280	gzxrzbpa.exe	28
PID 1280 wrote to memory of 844	1280	gzxrzbpa.exe	28
PID 1280 wrote to memory of 844	1280	gzxrzbpa.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gzxrzbpa.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	gzxrzbpa.exe

C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\gzxrzbpa.exe
  "C:\Users\Admin\AppData\Local\Temp\gzxrzbpa.exe" C:\Users\Admin\AppData\Local\Temp\qfjuug.ik
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\gzxrzbpa.exe
    "C:\Users\Admin\AppData\Local\Temp\gzxrzbpa.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gzxrzbpa.exe

Filesize
140KB

MD5
be7b1d60fd92f0ec5fef22118e72a087

SHA1
790e76d61a15e008f844b902503d26991aaff031

SHA256
11e0842909d786479cec05ec423f048a0f699184c5a567d03e32e5fa170f500e

SHA512
44b5cdf44a917e5e1050e46339423d3f85386ed49a815d79e0415ad532e380270dff8ee6dc2ae22896cc96cac1da76bbc026a194fe1dd768342be8ab942d9c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\gzxrzbpa.exe

Filesize
140KB

MD5
be7b1d60fd92f0ec5fef22118e72a087

SHA1
790e76d61a15e008f844b902503d26991aaff031

SHA256
11e0842909d786479cec05ec423f048a0f699184c5a567d03e32e5fa170f500e

SHA512
44b5cdf44a917e5e1050e46339423d3f85386ed49a815d79e0415ad532e380270dff8ee6dc2ae22896cc96cac1da76bbc026a194fe1dd768342be8ab942d9c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\gzxrzbpa.exe

Filesize
140KB

MD5
be7b1d60fd92f0ec5fef22118e72a087

SHA1
790e76d61a15e008f844b902503d26991aaff031

SHA256
11e0842909d786479cec05ec423f048a0f699184c5a567d03e32e5fa170f500e

SHA512
44b5cdf44a917e5e1050e46339423d3f85386ed49a815d79e0415ad532e380270dff8ee6dc2ae22896cc96cac1da76bbc026a194fe1dd768342be8ab942d9c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfjuug.ik

Filesize
5KB

MD5
b7999d6bdc28fbd382c64b7d7a3d0248

SHA1
e6b3f46d06a0b84d174ddd8a63ea7786a9c7f3e9

SHA256
2eaa731b846bfafd214af96dee066971d4c404acfce08afdf824b7b4ef5cb455

SHA512
57de250b438f42aefb5696251edebe3dbbf1db8aca36d8d5162301ce83cfc5819075eec0962355841c573a094950197bab5e056da46f8a6e46bb043f0baae4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ztyolesvarb.loi

Filesize
262KB

MD5
a4c3064d43ee0e5fb82bb105d1d956a0

SHA1
b4e52866f00d8d305b83dbb0b11ef1276fe628e7

SHA256
b7855f6dc7f74cf9de4d41e342dc60edb8957368ca672d183379a51132af2c10

SHA512
1260f6416ba4008c0489c513ef76a89cbabbbe61b9b759d4cc8e159d22527907c09a73825d2990d10e9d27a54368eac54d265529a48d1fa526ba70ee7cfe1fa7

Download Submit
\Users\Admin\AppData\Local\Temp\gzxrzbpa.exe

Filesize
140KB

MD5
be7b1d60fd92f0ec5fef22118e72a087

SHA1
790e76d61a15e008f844b902503d26991aaff031

SHA256
11e0842909d786479cec05ec423f048a0f699184c5a567d03e32e5fa170f500e

SHA512
44b5cdf44a917e5e1050e46339423d3f85386ed49a815d79e0415ad532e380270dff8ee6dc2ae22896cc96cac1da76bbc026a194fe1dd768342be8ab942d9c86

Download Submit
\Users\Admin\AppData\Local\Temp\gzxrzbpa.exe

Filesize
140KB

MD5
be7b1d60fd92f0ec5fef22118e72a087

SHA1
790e76d61a15e008f844b902503d26991aaff031

SHA256
11e0842909d786479cec05ec423f048a0f699184c5a567d03e32e5fa170f500e

SHA512
44b5cdf44a917e5e1050e46339423d3f85386ed49a815d79e0415ad532e380270dff8ee6dc2ae22896cc96cac1da76bbc026a194fe1dd768342be8ab942d9c86

Download Submit
memory/844-66-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/844-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-54-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing