agenttesla | 2de86403327aa376007b509984b68b8bde19279366e80aed50d39593cd495769

General

Target

Servo purchase Order.exe
Size

308KB
MD5

b7e5714c9266e7852db0d529c14922ec
SHA1

db34aa46af23c3f2b7a2d72765548bb39d2f18f7
SHA256

2de86403327aa376007b509984b68b8bde19279366e80aed50d39593cd495769
SHA512

2e95fdd96c98d33b8dd3bdeba2782368c8674482c2d912c62fa6323a56e65c0abe61f93b7dc168d2a15459dc65bb5b8761ba55eeb3b3bdee5b8c5915889b392e
SSDEEP

6144:PYa6qlmwy1hmtJ1Xim4Ijqgq+52wOGSx7M9W8z6WFsUAvbLBxYV85r3b:PYMHy1Ety5IjJq+56FcW8zDFe3BxL5rr

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 4 IoCs

pid	Process
3692	olntyv.exe
3740	olntyv.exe
2256	olntyv.exe
4252	olntyv.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	olntyv.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	olntyv.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	olntyv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uenjscxhdmvrb = "C:\\Users\\Admin\\AppData\\Roaming\\ajfo\\xtdmirnwgbktpy.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\olntyv.exe\" C:\\Users\\Admin\\AppData\\Local"	olntyv.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	api.ipify.org
30	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3692 set thread context of 4252	3692	olntyv.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3692	olntyv.exe
3692	olntyv.exe
3692	olntyv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4252	olntyv.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 3692	2340	Servo purchase Order.exe	85
PID 2340 wrote to memory of 3692	2340	Servo purchase Order.exe	85
PID 2340 wrote to memory of 3692	2340	Servo purchase Order.exe	85
PID 3692 wrote to memory of 3740	3692	olntyv.exe	86
PID 3692 wrote to memory of 3740	3692	olntyv.exe	86
PID 3692 wrote to memory of 3740	3692	olntyv.exe	86
PID 3692 wrote to memory of 2256	3692	olntyv.exe	87
PID 3692 wrote to memory of 2256	3692	olntyv.exe	87
PID 3692 wrote to memory of 2256	3692	olntyv.exe	87
PID 3692 wrote to memory of 4252	3692	olntyv.exe	88
PID 3692 wrote to memory of 4252	3692	olntyv.exe	88
PID 3692 wrote to memory of 4252	3692	olntyv.exe	88
PID 3692 wrote to memory of 4252	3692	olntyv.exe	88

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	olntyv.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	olntyv.exe

C:\Users\Admin\AppData\Local\Temp\Servo purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Servo purchase Order.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\olntyv.exe
  "C:\Users\Admin\AppData\Local\Temp\olntyv.exe" C:\Users\Admin\AppData\Local\Temp\bhpdraaktk.nsk
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\olntyv.exe
    "C:\Users\Admin\AppData\Local\Temp\olntyv.exe"
    3⤵
    - Executes dropped EXE
    PID:3740
- - C:\Users\Admin\AppData\Local\Temp\olntyv.exe
    "C:\Users\Admin\AppData\Local\Temp\olntyv.exe"
    3⤵
    - Executes dropped EXE
    PID:2256
- - C:\Users\Admin\AppData\Local\Temp\olntyv.exe
    "C:\Users\Admin\AppData\Local\Temp\olntyv.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bhpdraaktk.nsk

Filesize
7KB

MD5
5bec7658958fedd6542caa6a04239c82

SHA1
53b0e50bef3474b3c691b43a75773575abdb942e

SHA256
c20c4453f5965fc14c2f3189421ed5723c8ce37c31231ea443242fbb0f973290

SHA512
7c671c147a059cfa6b95dfc7bb100d303bbc35cc0c9d18562ff4cf6fb7166c15c3c5a88acbe5fd3a46596b64847b36e2d1e0c39e40d7faa79e9bed8a6e0fe9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\neblnddfg.c

Filesize
262KB

MD5
eb3c4d8c20362788ca249dd002d2cfea

SHA1
d93777c9fdf5e4bb9716dffc419e11971b222d2b

SHA256
f83fb5de7098c58766cb4bf282418e74b79cb2cb758d9ba3e6b10e2fbd102f12

SHA512
581b322079755b370c4937834eab8bd27fecc6f516d47516df2c8c8c1363b09c14333d81ef9d714db5e590947f52aad41cd6aaba3cdc7903316b97f0b1e5874a

Download Submit
C:\Users\Admin\AppData\Local\Temp\olntyv.exe

Filesize
99KB

MD5
ad4b496a23dc9bc3829aff3e82cf8699

SHA1
3d118de55a2c040f10e82fb14682efb1e8640658

SHA256
8621cae16031dff48e76fd9f82e9ce91ed6b648a5df65b950b4c04d18bd2622c

SHA512
d7cf6f3a7246aaa015ee18108571886a834bb419ac47218724382860d394c11c637fdc77ebd7ef8990d642977d85b4a9b131501cfa471f185c99d7b96dc1603a

Download Submit
C:\Users\Admin\AppData\Local\Temp\olntyv.exe

Filesize
99KB

MD5
ad4b496a23dc9bc3829aff3e82cf8699

SHA1
3d118de55a2c040f10e82fb14682efb1e8640658

SHA256
8621cae16031dff48e76fd9f82e9ce91ed6b648a5df65b950b4c04d18bd2622c

SHA512
d7cf6f3a7246aaa015ee18108571886a834bb419ac47218724382860d394c11c637fdc77ebd7ef8990d642977d85b4a9b131501cfa471f185c99d7b96dc1603a

Download Submit
C:\Users\Admin\AppData\Local\Temp\olntyv.exe

Filesize
99KB

MD5
ad4b496a23dc9bc3829aff3e82cf8699

SHA1
3d118de55a2c040f10e82fb14682efb1e8640658

SHA256
8621cae16031dff48e76fd9f82e9ce91ed6b648a5df65b950b4c04d18bd2622c

SHA512
d7cf6f3a7246aaa015ee18108571886a834bb419ac47218724382860d394c11c637fdc77ebd7ef8990d642977d85b4a9b131501cfa471f185c99d7b96dc1603a

Download Submit
C:\Users\Admin\AppData\Local\Temp\olntyv.exe

Filesize
99KB

MD5
ad4b496a23dc9bc3829aff3e82cf8699

SHA1
3d118de55a2c040f10e82fb14682efb1e8640658

SHA256
8621cae16031dff48e76fd9f82e9ce91ed6b648a5df65b950b4c04d18bd2622c

SHA512
d7cf6f3a7246aaa015ee18108571886a834bb419ac47218724382860d394c11c637fdc77ebd7ef8990d642977d85b4a9b131501cfa471f185c99d7b96dc1603a

Download Submit
C:\Users\Admin\AppData\Local\Temp\olntyv.exe

Filesize
99KB

MD5
ad4b496a23dc9bc3829aff3e82cf8699

SHA1
3d118de55a2c040f10e82fb14682efb1e8640658

SHA256
8621cae16031dff48e76fd9f82e9ce91ed6b648a5df65b950b4c04d18bd2622c

SHA512
d7cf6f3a7246aaa015ee18108571886a834bb419ac47218724382860d394c11c637fdc77ebd7ef8990d642977d85b4a9b131501cfa471f185c99d7b96dc1603a

Download Submit
memory/4252-152-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/4252-156-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4252-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-150-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-151-0x0000000005BF0000-0x0000000006194000-memory.dmp

Filesize
5.6MB

Download
memory/4252-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-154-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4252-153-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4252-155-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4252-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4252-157-0x0000000006D80000-0x0000000006E12000-memory.dmp

Filesize
584KB

Download
memory/4252-158-0x0000000006E20000-0x0000000006E2A000-memory.dmp

Filesize
40KB

Download
memory/4252-159-0x0000000007040000-0x0000000007090000-memory.dmp

Filesize
320KB

Download
memory/4252-160-0x0000000007260000-0x0000000007422000-memory.dmp

Filesize
1.8MB

Download
memory/4252-161-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4252-162-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4252-163-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4252-164-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing