agenttesla | 5bf208344ea17831afe203650df2ff3412f0c8f4daa5565c510e71ab8ff1644a

General

Target

URGENT REQUEST.exe
Size

309KB
MD5

dc597e0353112898b43b39e8abcae7ab
SHA1

da93f36cdb454f994803c4eb016d4db5cee81ab9
SHA256

5bf208344ea17831afe203650df2ff3412f0c8f4daa5565c510e71ab8ff1644a
SHA512

b311dfb34b7a7cfac4a8964e961bdf2d92734b6db595dd258ad711bbff4affff733d5826a6ed1cd3e275323c509c6da352978e05369f98fd9b6c2f28d8657539
SSDEEP

6144:PYa66MT4PWwDNJPa5C+ZZ6cGITYdFpMBNzShHSOQ/SnYZt/GK/9:PY0Gdwi5P6cGZpPsoYXeK/9

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
4328	ouwlcss.exe
1220	ouwlcss.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ouwlcss.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ouwlcss.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ouwlcss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4328 set thread context of 1220	4328	ouwlcss.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4328	ouwlcss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1220	ouwlcss.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 4328	2000	URGENT REQUEST.exe	86
PID 2000 wrote to memory of 4328	2000	URGENT REQUEST.exe	86
PID 2000 wrote to memory of 4328	2000	URGENT REQUEST.exe	86
PID 4328 wrote to memory of 1220	4328	ouwlcss.exe	87
PID 4328 wrote to memory of 1220	4328	ouwlcss.exe	87
PID 4328 wrote to memory of 1220	4328	ouwlcss.exe	87
PID 4328 wrote to memory of 1220	4328	ouwlcss.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ouwlcss.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ouwlcss.exe

C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST.exe
"C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\ouwlcss.exe
  "C:\Users\Admin\AppData\Local\Temp\ouwlcss.exe" C:\Users\Admin\AppData\Local\Temp\cbxmsjeph.awy
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\ouwlcss.exe
    "C:\Users\Admin\AppData\Local\Temp\ouwlcss.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cbxmsjeph.awy

Filesize
5KB

MD5
4dc2ec2b0dd761b8e36e24340229f1d9

SHA1
c6d28b6595c6222820b7623b39a9447d1e07e9c2

SHA256
795882b3d8643f3e455b22dd397d6a3883b90b751b36628e90478924f29648c0

SHA512
c6609213dd48f370c080ffabebee361b05c3bbada7464a8c55d78dd7bac9b7657a88bc9cd7e4d0fea0bbee2e9ec4371063daf4bd878cee572f10464083ebe762

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouwlcss.exe

Filesize
97KB

MD5
6627770f02dd996dbe6f41a4df48e456

SHA1
4890ade0621aae1e39708296b5d9d09a88b05985

SHA256
b291edd746336c38a338e957d062b18a43d28e5c8bc34ad0c5fc1efd3555fd03

SHA512
46b3caeda405596cb0d4e33c65d511a45fb92be0c34ab21b62d77da30ad53ac3c50d6d83331fa6074dea28f711eab371a17f0b34696d2ebb31e7993944e8da66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouwlcss.exe

Filesize
97KB

MD5
6627770f02dd996dbe6f41a4df48e456

SHA1
4890ade0621aae1e39708296b5d9d09a88b05985

SHA256
b291edd746336c38a338e957d062b18a43d28e5c8bc34ad0c5fc1efd3555fd03

SHA512
46b3caeda405596cb0d4e33c65d511a45fb92be0c34ab21b62d77da30ad53ac3c50d6d83331fa6074dea28f711eab371a17f0b34696d2ebb31e7993944e8da66

Download Submit
C:\Users\Admin\AppData\Local\Temp\ouwlcss.exe

Filesize
97KB

MD5
6627770f02dd996dbe6f41a4df48e456

SHA1
4890ade0621aae1e39708296b5d9d09a88b05985

SHA256
b291edd746336c38a338e957d062b18a43d28e5c8bc34ad0c5fc1efd3555fd03

SHA512
46b3caeda405596cb0d4e33c65d511a45fb92be0c34ab21b62d77da30ad53ac3c50d6d83331fa6074dea28f711eab371a17f0b34696d2ebb31e7993944e8da66

Download Submit
C:\Users\Admin\AppData\Local\Temp\trdnmfkgx.gl

Filesize
262KB

MD5
9f53db27a80a20caf2c6d5a1e1c5f950

SHA1
2641c929dd9e3c3d4734a9da97aeb3555624f80c

SHA256
add2f7fc1c6dd98a926feb51cbb478e721a071eb97c2331678c027f9bf5123a0

SHA512
102832a430013403fd52c08e27373f46fc73fcef62bb6a182280e9b03e73e9471ca1ac7287e5ae79318dd9fbc3917e1d6fa025602fc62a648e8f965f8af675ca

Download Submit
memory/1220-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1220-153-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1220-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1220-147-0x0000000005820000-0x0000000005DC4000-memory.dmp

Filesize
5.6MB

Download
memory/1220-148-0x0000000005270000-0x00000000052D6000-memory.dmp

Filesize
408KB

Download
memory/1220-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1220-151-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1220-150-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1220-152-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1220-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1220-154-0x0000000006130000-0x00000000061C2000-memory.dmp

Filesize
584KB

Download
memory/1220-155-0x0000000006100000-0x000000000610A000-memory.dmp

Filesize
40KB

Download
memory/1220-156-0x0000000006380000-0x00000000063D0000-memory.dmp

Filesize
320KB

Download
memory/1220-157-0x00000000065A0000-0x0000000006762000-memory.dmp

Filesize
1.8MB

Download
memory/1220-158-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1220-159-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1220-160-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1220-161-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing