agenttesla | d1b62846981e914c930a4edbe940ddf7af722fc9eb3906b9c9dea438f8934c0c

General

Target

Purchase Order _ CCI-12623-11.exe
Size

647KB
MD5

a264328f4b1486826ed7b0c3d8d428bf
SHA1

bfc9d56eb0438268ae48d8082307e1178ff9a04e
SHA256

d1b62846981e914c930a4edbe940ddf7af722fc9eb3906b9c9dea438f8934c0c
SHA512

731c01f1a7b6bec4b4bdb9b0414075d0ce685a5ca8486694d04927572c0777bc2ef2359fb3770811271deab6009d1c8d23cabdd329d91fed384f4b515b506cbd
SSDEEP

12288:/YP92sxyJ30cMwuUEwt7PyjRpsNUojBUQld/Zv2ZE5+7LEv/d9FCSlDM:/YP4REwuUdt76jfZkBU8/v2ZEQLOdzDS

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 4 IoCs

pid	Process
4524	xuknv.exe
4400	xuknv.exe
1376	xuknv.exe
1628	xuknv.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xuknv.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xuknv.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xuknv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gpluea = "C:\\Users\\Admin\\AppData\\Roaming\\clhqa\\vfoktpyinwrbw.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xuknv.exe\" \"C:\\Users\\Admin\\AppData\\Local"	xuknv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VvcPRR = "C:\\Users\\Admin\\AppData\\Roaming\\VvcPRR\\VvcPRR.exe"	xuknv.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	api.ipify.org
26	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4524 set thread context of 1628	4524	xuknv.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4524	xuknv.exe
4524	xuknv.exe
4524	xuknv.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	xuknv.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4524	xuknv.exe
4524	xuknv.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4524	xuknv.exe
4524	xuknv.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 4524	4112	Purchase Order _ CCI-12623-11.exe	84
PID 4112 wrote to memory of 4524	4112	Purchase Order _ CCI-12623-11.exe	84
PID 4112 wrote to memory of 4524	4112	Purchase Order _ CCI-12623-11.exe	84
PID 4524 wrote to memory of 4400	4524	xuknv.exe	85
PID 4524 wrote to memory of 4400	4524	xuknv.exe	85
PID 4524 wrote to memory of 4400	4524	xuknv.exe	85
PID 4524 wrote to memory of 1376	4524	xuknv.exe	86
PID 4524 wrote to memory of 1376	4524	xuknv.exe	86
PID 4524 wrote to memory of 1376	4524	xuknv.exe	86
PID 4524 wrote to memory of 1628	4524	xuknv.exe	87
PID 4524 wrote to memory of 1628	4524	xuknv.exe	87
PID 4524 wrote to memory of 1628	4524	xuknv.exe	87
PID 4524 wrote to memory of 1628	4524	xuknv.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xuknv.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xuknv.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order _ CCI-12623-11.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order _ CCI-12623-11.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\xuknv.exe
  "C:\Users\Admin\AppData\Local\Temp\xuknv.exe" "C:\Users\Admin\AppData\Local\Temp\agnxlu.au3"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\xuknv.exe
    "C:\Users\Admin\AppData\Local\Temp\xuknv.exe"
    3⤵
    - Executes dropped EXE
    PID:4400
- - C:\Users\Admin\AppData\Local\Temp\xuknv.exe
    "C:\Users\Admin\AppData\Local\Temp\xuknv.exe"
    3⤵
    - Executes dropped EXE
    PID:1376
- - C:\Users\Admin\AppData\Local\Temp\xuknv.exe
    "C:\Users\Admin\AppData\Local\Temp\xuknv.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\agnxlu.au3

Filesize
3KB

MD5
b2f54c41b1aea695d33a3e43dbff2ee9

SHA1
eb1223f61a28101498a7e2893ea508c22af8c80e

SHA256
8a411bb6bd349810053c02c53cd0e3dbdf6824314c41092f2bcc7cebacb80b37

SHA512
833f9eb737553f2510684022c42ddf37849d86edb3a8d7f228f325cd2e86a464cc856da6defeb3afb793d431dedfdf95d4aba3c5c9f3c2a167ca3ed64ab57d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\huiiukg.ef

Filesize
263KB

MD5
45dad481a2f7a94cef30a5b3965ed364

SHA1
404274a71c33454c366b4a3a4754707277ed9283

SHA256
c25ccee7976797a0f7cca5f41dffec916748f5d195d183705de59954f8512cb2

SHA512
24d4553851fddf82158528b3f4bab86353f9b1168814fc63824e6bc2e684460350c963e588a4140b9ac7423600fe761d71b364b93ba53e4cec1ad459300f7ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kqkcqotlh.u

Filesize
71KB

MD5
b186d23aa038c0411dc0da0eb833fa6d

SHA1
5db65ad5810362a0a573f2ea5af425472a23c1fe

SHA256
05d54047ac1c833092edb87a6f38a595d43e05b653b057d0846a9cbf3b4c1996

SHA512
b4e65602e1917eb71b7b161efaa7859b0126ed1b9f0714e3e9cb5c448342f57a9d16c32ed310b3ec6d06de772019c3bd61f857a80422f10f04c8275173ca86a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuknv.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuknv.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuknv.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuknv.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xuknv.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1628-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1628-157-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/1628-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1628-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1628-166-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/1628-153-0x0000000005F30000-0x00000000064D4000-memory.dmp

Filesize
5.6MB

Download
memory/1628-154-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/1628-155-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/1628-156-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/1628-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1628-158-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/1628-159-0x0000000007F20000-0x0000000007FB2000-memory.dmp

Filesize
584KB

Download
memory/1628-160-0x0000000007EC0000-0x0000000007ECA000-memory.dmp

Filesize
40KB

Download
memory/1628-161-0x0000000008090000-0x00000000080E0000-memory.dmp

Filesize
320KB

Download
memory/1628-162-0x00000000082B0000-0x0000000008472000-memory.dmp

Filesize
1.8MB

Download
memory/1628-163-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/1628-164-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/1628-165-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/4524-141-0x0000000001320000-0x0000000001322000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing