agenttesla | 30e7620c14c4ff2cd4c467bc26a9524f84ac84a0111b08e614cf8782964b3a66

Analysis

max time kernel
31s
max time network
118s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/03/2023, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT COPY.exe
Size

276KB
MD5

65c66f9180680269fc00bcf294a8ee7f
SHA1

7101b6f275fce0656c3da4b852267eb8be6adedc
SHA256

30e7620c14c4ff2cd4c467bc26a9524f84ac84a0111b08e614cf8782964b3a66
SHA512

576743fc1b66cd1b8bde9e8466ac553cfbeb49ccaa104e49442cefb7029a8653a0ee7a530ca8447ddc0a98242d4888a0fb4b29f2161b1ffebf7067cee12d1ecb
SSDEEP

6144:PYa63yaKAMyDQ0JfRi2LeB/qIry71pTfmLtXTeC/:PYNFj62LeB/qoipTEZTe+

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5662683474:AAFvSjyPXTiwhBPcFi8of3_-_FCdfhhN8x0/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
1684	elwoeakby.exe
664	elwoeakby.exe

Loads dropped DLL 3 IoCs

pid	Process
1316	PAYMENT COPY.exe
1316	PAYMENT COPY.exe
1684	elwoeakby.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	elwoeakby.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	elwoeakby.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	elwoeakby.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\lueajsoxt = "C:\\Users\\Admin\\AppData\\Roaming\\afok\\tdyienwsclhq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\elwoeakby.exe\" C:\\Users\\Admin\\AppData\\Loca"	elwoeakby.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\zOwta = "C:\\Users\\Admin\\AppData\\Roaming\\zOwta\\zOwta.exe"	elwoeakby.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 664	1684	elwoeakby.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1684	elwoeakby.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	664	elwoeakby.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
664	elwoeakby.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1684	1316	PAYMENT COPY.exe	28
PID 1316 wrote to memory of 1684	1316	PAYMENT COPY.exe	28
PID 1316 wrote to memory of 1684	1316	PAYMENT COPY.exe	28
PID 1316 wrote to memory of 1684	1316	PAYMENT COPY.exe	28
PID 1684 wrote to memory of 664	1684	elwoeakby.exe	30
PID 1684 wrote to memory of 664	1684	elwoeakby.exe	30
PID 1684 wrote to memory of 664	1684	elwoeakby.exe	30
PID 1684 wrote to memory of 664	1684	elwoeakby.exe	30
PID 1684 wrote to memory of 664	1684	elwoeakby.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	elwoeakby.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	elwoeakby.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\elwoeakby.exe
  "C:\Users\Admin\AppData\Local\Temp\elwoeakby.exe" C:\Users\Admin\AppData\Local\Temp\ibaudsnkx.k
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\elwoeakby.exe
    "C:\Users\Admin\AppData\Local\Temp\elwoeakby.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab34F8.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\elwoeakby.exe

Filesize
26KB

MD5
e6b73d0ed9498633a6b2b93cdc74bcec

SHA1
ae3d849954ac5aa5aed24d83df28130a96795fe6

SHA256
e7fffdd123455932ef8c994008bed058a504c8f77ab54d13e81570c7e03393f5

SHA512
947f965fd16f4e3d1d38fdb4402a7bb94cd2fb8606a00d661df14ee124b200fc74b8587afc2b1aecc55b2b3259b86795102948056685a3969b69fe9212d86025

Download Submit
C:\Users\Admin\AppData\Local\Temp\elwoeakby.exe

Filesize
26KB

MD5
e6b73d0ed9498633a6b2b93cdc74bcec

SHA1
ae3d849954ac5aa5aed24d83df28130a96795fe6

SHA256
e7fffdd123455932ef8c994008bed058a504c8f77ab54d13e81570c7e03393f5

SHA512
947f965fd16f4e3d1d38fdb4402a7bb94cd2fb8606a00d661df14ee124b200fc74b8587afc2b1aecc55b2b3259b86795102948056685a3969b69fe9212d86025

Download Submit
C:\Users\Admin\AppData\Local\Temp\elwoeakby.exe

Filesize
26KB

MD5
e6b73d0ed9498633a6b2b93cdc74bcec

SHA1
ae3d849954ac5aa5aed24d83df28130a96795fe6

SHA256
e7fffdd123455932ef8c994008bed058a504c8f77ab54d13e81570c7e03393f5

SHA512
947f965fd16f4e3d1d38fdb4402a7bb94cd2fb8606a00d661df14ee124b200fc74b8587afc2b1aecc55b2b3259b86795102948056685a3969b69fe9212d86025

Download Submit
C:\Users\Admin\AppData\Local\Temp\elwoeakby.exe

Filesize
26KB

MD5
e6b73d0ed9498633a6b2b93cdc74bcec

SHA1
ae3d849954ac5aa5aed24d83df28130a96795fe6

SHA256
e7fffdd123455932ef8c994008bed058a504c8f77ab54d13e81570c7e03393f5

SHA512
947f965fd16f4e3d1d38fdb4402a7bb94cd2fb8606a00d661df14ee124b200fc74b8587afc2b1aecc55b2b3259b86795102948056685a3969b69fe9212d86025

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibaudsnkx.k

Filesize
7KB

MD5
bf33251d3b2849975cb6c18de7a02e9c

SHA1
0bb0e5bf52f261aad63d9bdc98e131961f4606c2

SHA256
ad51f7e59436f6dba134653f71606e3c5f9ff9ff0a590617a7cc707ab0a7df55

SHA512
993a31420c0e4cd49a6385b1ad56a7bd59473846248b3a3d04c588ba5f61866af0be3dcf3128c1bd71fc52fb2f07af1b3e316ef52cb53ae86b09ee58e79def22

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxnmwjuyz.sd

Filesize
264KB

MD5
9d3b7fbfe0b891b6d6c00d2b00da8e5d

SHA1
6d5d9654c088ca683d9dc39865643140b865d92d

SHA256
b51536bf5c72f398bf3f54a39adbc0ea07254859aa19f46bc71dd344c8849f22

SHA512
02c62531eb57415e8e307c99f10bf69ebb3954fde453e6017d85f00984ec1e8d2b4ad7194300ec69d2d8ace902394375e57e065d2346806d891472e3b3fcd59f

Download Submit
\Users\Admin\AppData\Local\Temp\elwoeakby.exe

Filesize
26KB

MD5
e6b73d0ed9498633a6b2b93cdc74bcec

SHA1
ae3d849954ac5aa5aed24d83df28130a96795fe6

SHA256
e7fffdd123455932ef8c994008bed058a504c8f77ab54d13e81570c7e03393f5

SHA512
947f965fd16f4e3d1d38fdb4402a7bb94cd2fb8606a00d661df14ee124b200fc74b8587afc2b1aecc55b2b3259b86795102948056685a3969b69fe9212d86025

Download Submit
\Users\Admin\AppData\Local\Temp\elwoeakby.exe

Filesize
26KB

MD5
e6b73d0ed9498633a6b2b93cdc74bcec

SHA1
ae3d849954ac5aa5aed24d83df28130a96795fe6

SHA256
e7fffdd123455932ef8c994008bed058a504c8f77ab54d13e81570c7e03393f5

SHA512
947f965fd16f4e3d1d38fdb4402a7bb94cd2fb8606a00d661df14ee124b200fc74b8587afc2b1aecc55b2b3259b86795102948056685a3969b69fe9212d86025

Download Submit
\Users\Admin\AppData\Local\Temp\elwoeakby.exe

Filesize
26KB

MD5
e6b73d0ed9498633a6b2b93cdc74bcec

SHA1
ae3d849954ac5aa5aed24d83df28130a96795fe6

SHA256
e7fffdd123455932ef8c994008bed058a504c8f77ab54d13e81570c7e03393f5

SHA512
947f965fd16f4e3d1d38fdb4402a7bb94cd2fb8606a00d661df14ee124b200fc74b8587afc2b1aecc55b2b3259b86795102948056685a3969b69fe9212d86025

Download Submit
memory/664-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/664-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/664-75-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/664-76-0x0000000000450000-0x0000000000480000-memory.dmp

Filesize
192KB

Download
memory/664-77-0x0000000000F70000-0x0000000000FB0000-memory.dmp

Filesize
256KB

Download