agenttesla | 63dfdf139256d716209f2c662066602cf83e2b8d5988195c6e3cc07c2746a430

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/03/2023, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice-031.exe
Size

267KB
MD5

6ed0e9cae0d65e3719b07c8ebd2099e6
SHA1

3ef81998b04f6a942abae7a998fce04c2416bd09
SHA256

63dfdf139256d716209f2c662066602cf83e2b8d5988195c6e3cc07c2746a430
SHA512

a98ff273ca01e4dc1deb6cfef64f67e44b581b0d87e2c6f56aaafc119e34f21484a9c39f7e879e61d6b6155da4960e6f45fd091788667941f5018094b0aa6202
SSDEEP

6144:/Ya6uBE4ZA66KgDJl06kW4RAkEUAektELYxHJilsxGJBI:/Y4dA6BqnRkHPAek6+HlGJBI

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
920	sfrsrwwl.exe
576	sfrsrwwl.exe

Loads dropped DLL 3 IoCs

pid	Process
1424	Invoice-031.exe
1424	Invoice-031.exe
920	sfrsrwwl.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sfrsrwwl.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sfrsrwwl.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sfrsrwwl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 920 set thread context of 576	920	sfrsrwwl.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
920	sfrsrwwl.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	sfrsrwwl.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 920	1424	Invoice-031.exe	28
PID 1424 wrote to memory of 920	1424	Invoice-031.exe	28
PID 1424 wrote to memory of 920	1424	Invoice-031.exe	28
PID 1424 wrote to memory of 920	1424	Invoice-031.exe	28
PID 920 wrote to memory of 576	920	sfrsrwwl.exe	29
PID 920 wrote to memory of 576	920	sfrsrwwl.exe	29
PID 920 wrote to memory of 576	920	sfrsrwwl.exe	29
PID 920 wrote to memory of 576	920	sfrsrwwl.exe	29
PID 920 wrote to memory of 576	920	sfrsrwwl.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sfrsrwwl.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	sfrsrwwl.exe

C:\Users\Admin\AppData\Local\Temp\Invoice-031.exe
"C:\Users\Admin\AppData\Local\Temp\Invoice-031.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Users\Admin\AppData\Local\Temp\sfrsrwwl.exe
  "C:\Users\Admin\AppData\Local\Temp\sfrsrwwl.exe" C:\Users\Admin\AppData\Local\Temp\vsgrorcji.ff
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Users\Admin\AppData\Local\Temp\sfrsrwwl.exe
    "C:\Users\Admin\AppData\Local\Temp\sfrsrwwl.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eufjdbfraei.pib

Filesize
262KB

MD5
2b26dbad66a4a3c76865a582302b5c14

SHA1
4a89310fb8335e917eaf5bc770930ca5cd014415

SHA256
8eac6072c80e40cfe23474603a31715a35f991d983bad84370b833f39e3e29fb

SHA512
2086084ae90bdfb0bcddbc24a6735de1e579a5b543492026d968525058476873508503fccb8dff8cbf9f987e1efafd8e97e7f313554ff48e5fd24808e41dab4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfrsrwwl.exe

Filesize
8KB

MD5
86c56568bee1d3a0d039a45a19defa53

SHA1
817fc01456ce81e938485839449fc0deb55b393c

SHA256
ed4976fa976dc60b0f51e3f19e4766eaac256dd5e661394410189b690e3f0ae1

SHA512
8b16cb91e7dec0f2f8cb08c3446d77811cf9bfacbc1b096fe13945d354624662242ba3e0f046506a5d92ff99f9665f2864563585e99541937c1508cac1b5e468

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfrsrwwl.exe

Filesize
8KB

MD5
86c56568bee1d3a0d039a45a19defa53

SHA1
817fc01456ce81e938485839449fc0deb55b393c

SHA256
ed4976fa976dc60b0f51e3f19e4766eaac256dd5e661394410189b690e3f0ae1

SHA512
8b16cb91e7dec0f2f8cb08c3446d77811cf9bfacbc1b096fe13945d354624662242ba3e0f046506a5d92ff99f9665f2864563585e99541937c1508cac1b5e468

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfrsrwwl.exe

Filesize
8KB

MD5
86c56568bee1d3a0d039a45a19defa53

SHA1
817fc01456ce81e938485839449fc0deb55b393c

SHA256
ed4976fa976dc60b0f51e3f19e4766eaac256dd5e661394410189b690e3f0ae1

SHA512
8b16cb91e7dec0f2f8cb08c3446d77811cf9bfacbc1b096fe13945d354624662242ba3e0f046506a5d92ff99f9665f2864563585e99541937c1508cac1b5e468

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfrsrwwl.exe

Filesize
8KB

MD5
86c56568bee1d3a0d039a45a19defa53

SHA1
817fc01456ce81e938485839449fc0deb55b393c

SHA256
ed4976fa976dc60b0f51e3f19e4766eaac256dd5e661394410189b690e3f0ae1

SHA512
8b16cb91e7dec0f2f8cb08c3446d77811cf9bfacbc1b096fe13945d354624662242ba3e0f046506a5d92ff99f9665f2864563585e99541937c1508cac1b5e468

Download Submit
C:\Users\Admin\AppData\Local\Temp\vsgrorcji.ff

Filesize
5KB

MD5
87a4fd4c2069ab7e4cdbe9e9e4007d2c

SHA1
31b352d47ea1c2726e6b2d04dc4b7990f5ec7c44

SHA256
01392c9aed1cd6adb6003ff049dcc4dbf1ba8f5a20e320901fb706704f934bcf

SHA512
3697539e7b5f561003bbc8ad84e24329c2abb114811ffd2317cfbdea3c5313a154d9cfb0d4854d77dae65a65e5c3daceec655a078cf6ff4e04698882caebcb93

Download Submit
\Users\Admin\AppData\Local\Temp\sfrsrwwl.exe

Filesize
8KB

MD5
86c56568bee1d3a0d039a45a19defa53

SHA1
817fc01456ce81e938485839449fc0deb55b393c

SHA256
ed4976fa976dc60b0f51e3f19e4766eaac256dd5e661394410189b690e3f0ae1

SHA512
8b16cb91e7dec0f2f8cb08c3446d77811cf9bfacbc1b096fe13945d354624662242ba3e0f046506a5d92ff99f9665f2864563585e99541937c1508cac1b5e468

Download Submit
\Users\Admin\AppData\Local\Temp\sfrsrwwl.exe

Filesize
8KB

MD5
86c56568bee1d3a0d039a45a19defa53

SHA1
817fc01456ce81e938485839449fc0deb55b393c

SHA256
ed4976fa976dc60b0f51e3f19e4766eaac256dd5e661394410189b690e3f0ae1

SHA512
8b16cb91e7dec0f2f8cb08c3446d77811cf9bfacbc1b096fe13945d354624662242ba3e0f046506a5d92ff99f9665f2864563585e99541937c1508cac1b5e468

Download Submit
\Users\Admin\AppData\Local\Temp\sfrsrwwl.exe

Filesize
8KB

MD5
86c56568bee1d3a0d039a45a19defa53

SHA1
817fc01456ce81e938485839449fc0deb55b393c

SHA256
ed4976fa976dc60b0f51e3f19e4766eaac256dd5e661394410189b690e3f0ae1

SHA512
8b16cb91e7dec0f2f8cb08c3446d77811cf9bfacbc1b096fe13945d354624662242ba3e0f046506a5d92ff99f9665f2864563585e99541937c1508cac1b5e468

Download Submit
memory/576-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/576-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/576-74-0x0000000000450000-0x0000000000480000-memory.dmp

Filesize
192KB

Download
memory/576-75-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/576-76-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download