agenttesla | c6735b2a077fe3ee4af8bb2550602b08ce1806e4c8b73dd6a399ed596e7ba4e4

General

Target

SHIPMENT ADVICE.exe
Size

291KB
MD5

e65a0c7076941b4ba2aea0a89d02ab07
SHA1

5edda828f7e9ef3275e71cd608e48861f98cad3d
SHA256

686579ac798116984a5f68c10fff3ae521d14c3cfc5e7891618a963693dfeb6f
SHA512

b78294fa89ce1c2298ee674b1884c632dfb253fa6b105778fbc95575e604ccc8fe908be0312a91d06a69a3eb2dbaf4625b5fd28ac3ad8a23eda03b6c2cf17cf6
SSDEEP

6144:/Ya6ues+r6puHTclv1w/z0+Wf9PgEh0sj9hVxrM0B+TbHYz:/YQvZpuHGv1q+oEXhTUYz

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
3360	tjuxxo.exe
100	tjuxxo.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	tjuxxo.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	tjuxxo.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	tjuxxo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3360 set thread context of 100	3360	tjuxxo.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3360	tjuxxo.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	100	tjuxxo.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 3360	1716	SHIPMENT ADVICE.exe	88
PID 1716 wrote to memory of 3360	1716	SHIPMENT ADVICE.exe	88
PID 1716 wrote to memory of 3360	1716	SHIPMENT ADVICE.exe	88
PID 3360 wrote to memory of 100	3360	tjuxxo.exe	89
PID 3360 wrote to memory of 100	3360	tjuxxo.exe	89
PID 3360 wrote to memory of 100	3360	tjuxxo.exe	89
PID 3360 wrote to memory of 100	3360	tjuxxo.exe	89

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	tjuxxo.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	tjuxxo.exe

C:\Users\Admin\AppData\Local\Temp\SHIPMENT ADVICE.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPMENT ADVICE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\tjuxxo.exe
  "C:\Users\Admin\AppData\Local\Temp\tjuxxo.exe" C:\Users\Admin\AppData\Local\Temp\anqcelo.ph
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Users\Admin\AppData\Local\Temp\tjuxxo.exe
    "C:\Users\Admin\AppData\Local\Temp\tjuxxo.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\anqcelo.ph

Filesize
5KB

MD5
56dcb4a4f31c61a3be095cd7bc81ca53

SHA1
49f5eef20087ca71f2c4690d1ea14c159dca7120

SHA256
8b4d683fcfce4c82b46459469724c6703357c33d4996505e5e99d55501c5ef20

SHA512
f86da3858df4a7041a7d689604275e159c79f9862f4e5594de0e50d9c00d5deb1988ef2bae941ece69c8501c75bc741ed6ca5eaffe59c66032f9c1078909e424

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjuxxo.exe

Filesize
59KB

MD5
ae4c7bbc487241a0a95144fbac4df140

SHA1
ffec7dd60f4dd056c2dfec4da4efd2fa484ea551

SHA256
777f30247ffd1c43ced0905634bab80238eaf7f8fc20184a57e9a1a075cff49f

SHA512
08cc1b7c38f57d0053ffa08e8539c59ab9130af1286a26fcb00fe8fb58d7cc669f97d2d7b3adbea1937c79f30361d1d94463a684d536b36e5e73968b9afdfa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjuxxo.exe

Filesize
59KB

MD5
ae4c7bbc487241a0a95144fbac4df140

SHA1
ffec7dd60f4dd056c2dfec4da4efd2fa484ea551

SHA256
777f30247ffd1c43ced0905634bab80238eaf7f8fc20184a57e9a1a075cff49f

SHA512
08cc1b7c38f57d0053ffa08e8539c59ab9130af1286a26fcb00fe8fb58d7cc669f97d2d7b3adbea1937c79f30361d1d94463a684d536b36e5e73968b9afdfa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjuxxo.exe

Filesize
59KB

MD5
ae4c7bbc487241a0a95144fbac4df140

SHA1
ffec7dd60f4dd056c2dfec4da4efd2fa484ea551

SHA256
777f30247ffd1c43ced0905634bab80238eaf7f8fc20184a57e9a1a075cff49f

SHA512
08cc1b7c38f57d0053ffa08e8539c59ab9130af1286a26fcb00fe8fb58d7cc669f97d2d7b3adbea1937c79f30361d1d94463a684d536b36e5e73968b9afdfa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynetyh.c

Filesize
262KB

MD5
5e1b112b130a9fbc891ca77d3a460538

SHA1
c46a1341cd59b1ccd4a642383d994e00c3716a01

SHA256
8c275e401159d3555f7ec7c3644708050bfff8d40ee17bed8077a4a42a70937e

SHA512
b2faa59bfa27d1d5b4aa514d9548cabaea072b7be34068091fb341951fd11bb211b4ea33396a0bea9e0644f5aca2b8ed491cfd21b86ccab8582aaa35925617b6

Download Submit
memory/100-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/100-152-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/100-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/100-147-0x0000000005570000-0x0000000005B14000-memory.dmp

Filesize
5.6MB

Download
memory/100-148-0x0000000005090000-0x00000000050F6000-memory.dmp

Filesize
408KB

Download
memory/100-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/100-150-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/100-151-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/100-153-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/100-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/100-154-0x0000000005F50000-0x0000000005FE2000-memory.dmp

Filesize
584KB

Download
memory/100-155-0x0000000005F40000-0x0000000005F4A000-memory.dmp

Filesize
40KB

Download
memory/100-156-0x00000000061F0000-0x0000000006240000-memory.dmp

Filesize
320KB

Download
memory/100-157-0x0000000006540000-0x0000000006702000-memory.dmp

Filesize
1.8MB

Download
memory/100-158-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/100-159-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/100-160-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download
memory/100-161-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing