agenttesla | 36b012ce5d49946e13199b08e3b41589b4eeb80e429628031d6aab90bb2804ae

General

Target

36b012ce5d49946e13199b08e3b41589b4eeb80e429628031d6aab90bb2804ae.exe
Size

514KB
MD5

81171a0c4fbe80b5f7bc9d41ee97b753
SHA1

0b7584836b43afad22e8e863b2827e7be6b27a1b
SHA256

36b012ce5d49946e13199b08e3b41589b4eeb80e429628031d6aab90bb2804ae
SHA512

abd290679554d99e221398588e43bb78d6e7aaa03a201a008614572298c25e3066b775ffc8871533a4299c1e2594b4c9748b168ea15804908908d48cfc224812
SSDEEP

12288:qYi8LodU2EEA7Znkj/tiDsJhDbCbQbJTvIN6:qYioh2Eoj/I4zIN6

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
1476	pgidjs.exe
4356	pgidjs.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pgidjs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pgidjs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pgidjs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rbwvss = "C:\\Users\\Admin\\AppData\\Roaming\\xyopexd\\dfigfk.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\pgidjs.exe\" C:\\Users\\Admin\\AppData\\Local\\Temp"	pgidjs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 4356	1476	pgidjs.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1476	pgidjs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4356	pgidjs.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 1476	4808	36b012ce5d49946e13199b08e3b41589b4eeb80e429628031d6aab90bb2804ae.exe	85
PID 4808 wrote to memory of 1476	4808	36b012ce5d49946e13199b08e3b41589b4eeb80e429628031d6aab90bb2804ae.exe	85
PID 4808 wrote to memory of 1476	4808	36b012ce5d49946e13199b08e3b41589b4eeb80e429628031d6aab90bb2804ae.exe	85
PID 1476 wrote to memory of 4356	1476	pgidjs.exe	87
PID 1476 wrote to memory of 4356	1476	pgidjs.exe	87
PID 1476 wrote to memory of 4356	1476	pgidjs.exe	87
PID 1476 wrote to memory of 4356	1476	pgidjs.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pgidjs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pgidjs.exe

C:\Users\Admin\AppData\Local\Temp\36b012ce5d49946e13199b08e3b41589b4eeb80e429628031d6aab90bb2804ae.exe
"C:\Users\Admin\AppData\Local\Temp\36b012ce5d49946e13199b08e3b41589b4eeb80e429628031d6aab90bb2804ae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\pgidjs.exe
  "C:\Users\Admin\AppData\Local\Temp\pgidjs.exe" C:\Users\Admin\AppData\Local\Temp\mwyeeeys.vbc
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Users\Admin\AppData\Local\Temp\pgidjs.exe
    "C:\Users\Admin\AppData\Local\Temp\pgidjs.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\giiogp.box

Filesize
262KB

MD5
f547e30f8f2770986e878d910106de61

SHA1
b6aa11389d84de74fbbcbdb3563d323f9f890b9e

SHA256
14c9298ff51f6cdcdc74c3872368dd57b73db645242be021535675428a74ef7b

SHA512
f2cbcb550b997911ece8496c5e145c34543858fa4eaab517ab37bc46af4c110603f3897e157203c7f2233fa8e3606db2dc1e0593422345943e8f4b0dea7a148a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwyeeeys.vbc

Filesize
7KB

MD5
7a035c656e5782bc636ba578962d67fb

SHA1
452e0e14c6e4dd19cb72f8dac6e36afd258489a2

SHA256
f8c3741c0d0275461a059a01153e697bb9e8a447f564159e67899eef1c9601e6

SHA512
c69032858b2a9ddc9d839a7483f412579ff7533d3405f71c819e7bd5c0381341cc380edf9620ac813bb3e5c2be3914d908832aa775d18ce7346a6dcab8e9d527

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgidjs.exe

Filesize
51KB

MD5
cad33a3062e0e4fd760da16697f36129

SHA1
40f6779141a031c1958712a025ca3385c4001f5a

SHA256
98d52df342862ac5067f63eb573f97d13f1de1e608ef70d974312be3799832f5

SHA512
24b3c2b2f17104f73f193fec02b525630ff5c7ae1834ba9016646b88aa5b22857d7d423aaa3f8046d33c644888b584e03382ce350ec6fd29bbf96c75ca428420

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgidjs.exe

Filesize
51KB

MD5
cad33a3062e0e4fd760da16697f36129

SHA1
40f6779141a031c1958712a025ca3385c4001f5a

SHA256
98d52df342862ac5067f63eb573f97d13f1de1e608ef70d974312be3799832f5

SHA512
24b3c2b2f17104f73f193fec02b525630ff5c7ae1834ba9016646b88aa5b22857d7d423aaa3f8046d33c644888b584e03382ce350ec6fd29bbf96c75ca428420

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgidjs.exe

Filesize
51KB

MD5
cad33a3062e0e4fd760da16697f36129

SHA1
40f6779141a031c1958712a025ca3385c4001f5a

SHA256
98d52df342862ac5067f63eb573f97d13f1de1e608ef70d974312be3799832f5

SHA512
24b3c2b2f17104f73f193fec02b525630ff5c7ae1834ba9016646b88aa5b22857d7d423aaa3f8046d33c644888b584e03382ce350ec6fd29bbf96c75ca428420

Download Submit
memory/1476-140-0x00000000009C0000-0x00000000009C2000-memory.dmp

Filesize
8KB

Download
memory/4356-151-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/4356-154-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/4356-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-148-0x0000000004A40000-0x0000000004FE4000-memory.dmp

Filesize
5.6MB

Download
memory/4356-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-150-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/4356-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-152-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/4356-153-0x00000000048A0000-0x0000000004906000-memory.dmp

Filesize
408KB

Download
memory/4356-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4356-155-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/4356-156-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download
memory/4356-157-0x00000000059F0000-0x0000000005A40000-memory.dmp

Filesize
320KB

Download
memory/4356-158-0x0000000005A50000-0x0000000005C12000-memory.dmp

Filesize
1.8MB

Download
memory/4356-160-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/4356-161-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/4356-162-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/4356-163-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing