agenttesla | 2caf3549c798fc1fa04d9b588409cdc4a01bf15ca9b892273f747ea1301c1cb8

General

Target

PHILIP.exe
Size

324KB
MD5

443750f08bb402c1cee9f7ed5641de40
SHA1

36e10876601d74747ade10db65ebba79fcdd7b72
SHA256

dec27cdadd52f7d2264eb50ecbae1d43313c917594d9c4b93ea936b556f05902
SHA512

d06a70a036d9602fcbdaf2157d6b98271f9877256f9cc6b7a3c7191f810b48bd0faf8e170f61800bad6e5fa50cdb29188a94d39d17463cfbde55755dccff090e
SSDEEP

6144:vYa6lInxv/GBwkvnZkaIkDkiUjBEFefnDyhIHUe7NBG5LB:vYP2Uw2nQjiceFSDUc7NG1

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 4 IoCs

pid	Process
4200	digdconvf.exe
4888	digdconvf.exe
4860	digdconvf.exe
3540	digdconvf.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	digdconvf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	digdconvf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	digdconvf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soxdmirrbvfo = "C:\\Users\\Admin\\AppData\\Roaming\\ktdyirnv\\rbkgpyuueaj.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\digdconvf.exe\" C:\\Users\\Admin\\AppData\\L"	digdconvf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XynDz = "C:\\Users\\Admin\\AppData\\Roaming\\XynDz\\XynDz.exe"	digdconvf.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	api.ipify.org
12	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4200 set thread context of 3540	4200	digdconvf.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4200	digdconvf.exe
4200	digdconvf.exe
4200	digdconvf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	digdconvf.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4200	5056	PHILIP.exe	80
PID 5056 wrote to memory of 4200	5056	PHILIP.exe	80
PID 5056 wrote to memory of 4200	5056	PHILIP.exe	80
PID 4200 wrote to memory of 4888	4200	digdconvf.exe	81
PID 4200 wrote to memory of 4888	4200	digdconvf.exe	81
PID 4200 wrote to memory of 4888	4200	digdconvf.exe	81
PID 4200 wrote to memory of 4860	4200	digdconvf.exe	82
PID 4200 wrote to memory of 4860	4200	digdconvf.exe	82
PID 4200 wrote to memory of 4860	4200	digdconvf.exe	82
PID 4200 wrote to memory of 3540	4200	digdconvf.exe	83
PID 4200 wrote to memory of 3540	4200	digdconvf.exe	83
PID 4200 wrote to memory of 3540	4200	digdconvf.exe	83
PID 4200 wrote to memory of 3540	4200	digdconvf.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	digdconvf.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	digdconvf.exe

C:\Users\Admin\AppData\Local\Temp\PHILIP.exe
"C:\Users\Admin\AppData\Local\Temp\PHILIP.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
  "C:\Users\Admin\AppData\Local\Temp\digdconvf.exe" C:\Users\Admin\AppData\Local\Temp\ngivhuetle.mug
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
    "C:\Users\Admin\AppData\Local\Temp\digdconvf.exe"
    3⤵
    - Executes dropped EXE
    PID:4888
- - C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
    "C:\Users\Admin\AppData\Local\Temp\digdconvf.exe"
    3⤵
    - Executes dropped EXE
    PID:4860
- - C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
    "C:\Users\Admin\AppData\Local\Temp\digdconvf.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\digdconvf.exe

Filesize
127KB

MD5
548c32a92cd221f0b0a1e5ab389bf5af

SHA1
ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

SHA256
ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

SHA512
d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

Download Submit
C:\Users\Admin\AppData\Local\Temp\digdconvf.exe

Filesize
127KB

MD5
548c32a92cd221f0b0a1e5ab389bf5af

SHA1
ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

SHA256
ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

SHA512
d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

Download Submit
C:\Users\Admin\AppData\Local\Temp\digdconvf.exe

Filesize
127KB

MD5
548c32a92cd221f0b0a1e5ab389bf5af

SHA1
ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

SHA256
ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

SHA512
d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

Download Submit
C:\Users\Admin\AppData\Local\Temp\digdconvf.exe

Filesize
127KB

MD5
548c32a92cd221f0b0a1e5ab389bf5af

SHA1
ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

SHA256
ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

SHA512
d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

Download Submit
C:\Users\Admin\AppData\Local\Temp\digdconvf.exe

Filesize
127KB

MD5
548c32a92cd221f0b0a1e5ab389bf5af

SHA1
ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

SHA256
ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

SHA512
d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ngivhuetle.mug

Filesize
7KB

MD5
fd2b5db4a3e41d39623fb54f73ea8f5e

SHA1
fcce51cbb53a0e5d7aa694f3322a09854480fd02

SHA256
0273b0a96847a19d6a9569c9ca02a9d95d196eebeaa666b58f74028451386475

SHA512
a0af6a7e4b8411776b0007be01ddcfbd05560f168eb1554874fb9729f6adb6f82044c969bf0e598c2992844e19faa06536b80316a11ac4fb2e0800e24a66a885

Download Submit
C:\Users\Admin\AppData\Local\Temp\svnwdctuh.ir

Filesize
266KB

MD5
e4e6989f4cb92813cb3415e839bac761

SHA1
711a5250fef9cbeb2181725bf8d15ab0b7e0bd47

SHA256
4042be4b86842251228cc7193b8ac462c02b5dd144bbad9556cef770176befcc

SHA512
812627eb2bb60c18151c90afd10187420aa97c924eade61720b1002341f188d60ccdf6f62c0c37a2f5bc647ef60ebe02fd170b484a3c2654308e2ec64a9d54cd

Download Submit
memory/3540-141-0x0000000000000000-mapping.dmp

Download
memory/3540-143-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/3540-144-0x0000000004E40000-0x0000000004EA6000-memory.dmp

Filesize
408KB

Download
memory/3540-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3540-146-0x00000000065A0000-0x0000000006632000-memory.dmp

Filesize
584KB

Download
memory/3540-147-0x0000000006580000-0x000000000658A000-memory.dmp

Filesize
40KB

Download
memory/3540-148-0x00000000067D0000-0x0000000006820000-memory.dmp

Filesize
320KB

Download
memory/3540-149-0x0000000006A30000-0x0000000006BF2000-memory.dmp

Filesize
1.8MB

Download
memory/3540-150-0x0000000006900000-0x000000000699C000-memory.dmp

Filesize
624KB

Download
memory/4200-132-0x0000000000000000-mapping.dmp

Download
memory/4860-139-0x0000000000000000-mapping.dmp

Download
memory/4888-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing