agenttesla | 4b3b2e33768b07e48c7b2a32ec2e0f0fcd94b2062170b975f5324d77d28105a2

General

Target

tmp.exe
Size

294KB
MD5

2ff3c88cc079f50ba0000d386f8f208f
SHA1

3c8e9271e6eae83788c36874ec7e15c780bc6a77
SHA256

4b3b2e33768b07e48c7b2a32ec2e0f0fcd94b2062170b975f5324d77d28105a2
SHA512

ab1cffe6c627fdc4ed363de3d7219dffc77e374832e54fc27800fcf62799d4ea3e05e4ed482f1d268747edd43434ad1bf17e5a7f8d21187dd4e00ec1cfa28347
SSDEEP

6144:/Ya6RYWU4NPB0erIvWmDVUzlB6TANcHDveE1uj0DHfqXG:/Yz1zNierIeUVq6YcHxckfqXG

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
4672	aihaah.exe
2964	aihaah.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aihaah.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aihaah.exe
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aihaah.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qmrbkfoxtdy = "C:\\Users\\Admin\\AppData\\Roaming\\ibwgbkt\\pyienjscxh.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\aihaah.exe\" C:\\Users\\Admin\\AppData\\Local\\"	aihaah.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
9	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4672 set thread context of 2964	4672	aihaah.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4672	aihaah.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	aihaah.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 4672	820	tmp.exe	84
PID 820 wrote to memory of 4672	820	tmp.exe	84
PID 820 wrote to memory of 4672	820	tmp.exe	84
PID 4672 wrote to memory of 2964	4672	aihaah.exe	85
PID 4672 wrote to memory of 2964	4672	aihaah.exe	85
PID 4672 wrote to memory of 2964	4672	aihaah.exe	85
PID 4672 wrote to memory of 2964	4672	aihaah.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aihaah.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aihaah.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Local\Temp\aihaah.exe
  "C:\Users\Admin\AppData\Local\Temp\aihaah.exe" C:\Users\Admin\AppData\Local\Temp\rqxraj.u
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\aihaah.exe
    "C:\Users\Admin\AppData\Local\Temp\aihaah.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aihaah.exe

Filesize
60KB

MD5
126173994331f7784faa6b180e5a2132

SHA1
c5a080d4f2d1e7cd59e02ce6aa3438cf73f7e011

SHA256
88aa17ff396f40e63bb4f11d4a31a9117204692cd027752da0495fdfb58ff665

SHA512
3fbf522e36d4933965f505f0926f207f969f03f8aef8817cd76d9238072b4071a80bb2e437001140dd13fb8a0506f2d7ae215514f3f116641fbadda6b831f914

Download Submit
C:\Users\Admin\AppData\Local\Temp\aihaah.exe

Filesize
60KB

MD5
126173994331f7784faa6b180e5a2132

SHA1
c5a080d4f2d1e7cd59e02ce6aa3438cf73f7e011

SHA256
88aa17ff396f40e63bb4f11d4a31a9117204692cd027752da0495fdfb58ff665

SHA512
3fbf522e36d4933965f505f0926f207f969f03f8aef8817cd76d9238072b4071a80bb2e437001140dd13fb8a0506f2d7ae215514f3f116641fbadda6b831f914

Download Submit
C:\Users\Admin\AppData\Local\Temp\aihaah.exe

Filesize
60KB

MD5
126173994331f7784faa6b180e5a2132

SHA1
c5a080d4f2d1e7cd59e02ce6aa3438cf73f7e011

SHA256
88aa17ff396f40e63bb4f11d4a31a9117204692cd027752da0495fdfb58ff665

SHA512
3fbf522e36d4933965f505f0926f207f969f03f8aef8817cd76d9238072b4071a80bb2e437001140dd13fb8a0506f2d7ae215514f3f116641fbadda6b831f914

Download Submit
C:\Users\Admin\AppData\Local\Temp\dqbah.nzr

Filesize
263KB

MD5
12582a21e249143b37841f5d1a80c0ec

SHA1
33b55b80df8eaed3e04a47509f1ecdb9f3d9a3b1

SHA256
4b9efdd71edb8620e47d5b85133dc73b12ce4d4ac35a135b4a2c6ba546686a33

SHA512
e207963a8402426bcf9eb4fe59b7abdbf207dc0ca4746572884fb2f13f298ae5ab93e0a33d058b50f198fadfa781cd756c715d5ec5a052cddfa6b5b3313b9747

Download Submit
C:\Users\Admin\AppData\Local\Temp\rqxraj.u

Filesize
7KB

MD5
9ddb9349df7cf50af4b523151109f943

SHA1
8a823dc4ad81b7711648301e16c780243094b8ad

SHA256
9531c86366939cdb986683ed27cf5cb9f5a1ce00cd5402831415cb5b3c9415b4

SHA512
f4269b48f39a3a927d99e553c5d5b486cab617dc2e86d59b7a5ef2790c4c1d5343d50a07c6da93ef25fe7445cddfbe026fbdb935b7dc081ed56a12cff32cee98

Download Submit
memory/2964-150-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/2964-154-0x00000000071A0000-0x0000000007232000-memory.dmp

Filesize
584KB

Download
memory/2964-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-149-0x0000000005FF0000-0x0000000006594000-memory.dmp

Filesize
5.6MB

Download
memory/2964-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-151-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/2964-152-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/2964-153-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/2964-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-155-0x0000000007180000-0x000000000718A000-memory.dmp

Filesize
40KB

Download
memory/2964-156-0x00000000073D0000-0x0000000007420000-memory.dmp

Filesize
320KB

Download
memory/2964-157-0x0000000007730000-0x00000000078F2000-memory.dmp

Filesize
1.8MB

Download
memory/2964-158-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/2964-159-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/2964-160-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/2964-161-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing