agenttesla | d1a22dda5220ba19084b3e191aa4cf0028dc48e3176294f3bc298f0d4936de03

General

Target

SHIPPING DOC.exe
Size

291KB
MD5

39b9ca7a4ae24827c6023ec5302e4f3e
SHA1

f4a960435324066317ae6f02a08ebd8275e35ba5
SHA256

d1a22dda5220ba19084b3e191aa4cf0028dc48e3176294f3bc298f0d4936de03
SHA512

3c61c3a67782ed74551bae3f4cb4b002a79039fb5f9d6d78f78bc01b56d12a61235fb7699625486499bca03b151be0c8d6559ff3e9daa3505fb838d330c36136
SSDEEP

6144:/Ya6A3+cPY5fsTruy2rfGVfvjYmA85YrzLUIIwhSYKCuuYlzkD:/Y23fY3ruhksY3LUIB3VukD

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
4620	wdkhjccu.exe
1412	wdkhjccu.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wdkhjccu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wdkhjccu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wdkhjccu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4620 set thread context of 1412	4620	wdkhjccu.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4620	wdkhjccu.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	wdkhjccu.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 4620	1644	SHIPPING DOC.exe	85
PID 1644 wrote to memory of 4620	1644	SHIPPING DOC.exe	85
PID 1644 wrote to memory of 4620	1644	SHIPPING DOC.exe	85
PID 4620 wrote to memory of 1412	4620	wdkhjccu.exe	86
PID 4620 wrote to memory of 1412	4620	wdkhjccu.exe	86
PID 4620 wrote to memory of 1412	4620	wdkhjccu.exe	86
PID 4620 wrote to memory of 1412	4620	wdkhjccu.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wdkhjccu.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wdkhjccu.exe

C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\wdkhjccu.exe
  "C:\Users\Admin\AppData\Local\Temp\wdkhjccu.exe" C:\Users\Admin\AppData\Local\Temp\tvgvcczil.vj
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\wdkhjccu.exe
    "C:\Users\Admin\AppData\Local\Temp\wdkhjccu.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ixgiqq.we

Filesize
262KB

MD5
0a52ae3f58ac25cace9b55f33178f4e7

SHA1
a3688148c209b864aca708a10bf9081fbf30e5ed

SHA256
767393eed45e630ea4314d3056c6ce54e38016356775429d2bad825e42923c84

SHA512
fa1fdb329fee524dd06df4a91b8130b9d93aa96f7a9202a7c82310d60c134c0b148e9b4f0f7c18a55e26a3c00039fe1dbbcad9c4371e3d72053148003a9ed835

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvgvcczil.vj

Filesize
5KB

MD5
8a8badedeb39ac76c4199e8690e5fddb

SHA1
d8b8e5931d3d28989ffc9157606f558aa9708335

SHA256
eb28e351bbb8350ab7470ad5d2b6975a28196efcf8b344c10fb12387422df025

SHA512
3de87bb7d6706277e7a025bfc58f92e9d120da9fde36d7172e370cf3d9059f8c8f6826c7b531e86eb5014d0f73e3021ccbb977803fd4f837ac7e1a351e1b4d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdkhjccu.exe

Filesize
59KB

MD5
5488a46eaf4e15a3ceb9ba2872325fa2

SHA1
939eb78e95aa57b68a67d516d726db3fbdb31825

SHA256
3ccf3199ef364344ff57ced7e34fd933300ea091b94fba2f9ca061b32aaab9c8

SHA512
20cb1527b21ff530b7de1aac07621a2217ea61dea449eaa4d330a81f80e7b68f7e60ca67a825aa25f488c11795ae028eff9fd9a93142cf74fc48a159097a4a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdkhjccu.exe

Filesize
59KB

MD5
5488a46eaf4e15a3ceb9ba2872325fa2

SHA1
939eb78e95aa57b68a67d516d726db3fbdb31825

SHA256
3ccf3199ef364344ff57ced7e34fd933300ea091b94fba2f9ca061b32aaab9c8

SHA512
20cb1527b21ff530b7de1aac07621a2217ea61dea449eaa4d330a81f80e7b68f7e60ca67a825aa25f488c11795ae028eff9fd9a93142cf74fc48a159097a4a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdkhjccu.exe

Filesize
59KB

MD5
5488a46eaf4e15a3ceb9ba2872325fa2

SHA1
939eb78e95aa57b68a67d516d726db3fbdb31825

SHA256
3ccf3199ef364344ff57ced7e34fd933300ea091b94fba2f9ca061b32aaab9c8

SHA512
20cb1527b21ff530b7de1aac07621a2217ea61dea449eaa4d330a81f80e7b68f7e60ca67a825aa25f488c11795ae028eff9fd9a93142cf74fc48a159097a4a39

Download Submit
memory/1412-149-0x00000000057A0000-0x0000000005D44000-memory.dmp

Filesize
5.6MB

Download
memory/1412-153-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/1412-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1412-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1412-150-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/1412-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1412-148-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/1412-151-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/1412-152-0x0000000005290000-0x00000000052F6000-memory.dmp

Filesize
408KB

Download
memory/1412-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1412-154-0x0000000006170000-0x0000000006202000-memory.dmp

Filesize
584KB

Download
memory/1412-155-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/1412-156-0x00000000062A0000-0x00000000062F0000-memory.dmp

Filesize
320KB

Download
memory/1412-157-0x0000000006690000-0x0000000006852000-memory.dmp

Filesize
1.8MB

Download
memory/1412-158-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/1412-159-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/1412-160-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/1412-161-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing