agenttesla | 0a50f91b86f94c3cd8ad50d4ead7c2f214f96f8f021a41f7313d9bef71e30d5f

Analysis

max time kernel
29s
max time network
134s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/03/2023, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bca8daa934091776fb136ec36063ea6.exe
Size

293KB
MD5

6bca8daa934091776fb136ec36063ea6
SHA1

d0daa2630422202f7a7b414e2ebbe3e71576e427
SHA256

0a50f91b86f94c3cd8ad50d4ead7c2f214f96f8f021a41f7313d9bef71e30d5f
SHA512

8651f5d3568a5fabec83680067512121b3037b32e893052a2461dd1a40f214dc169c30f34ed84aec5c5f421a79d19c45d81edea23191f7f3313dce60d2eafe19
SSDEEP

6144:/Ya6nLGeRvgtKV71gY5EOaIL23eE1cE8o8qwD5p3FrY6fIyS02be2W2zmM7:/Y1LGmvgtKV7VSc63eER0NpSuaZ7

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 3 IoCs

pid	Process
928	soedvr.exe
1536	soedvr.exe
868	soedvr.exe

Loads dropped DLL 4 IoCs

pid	Process
1236	6bca8daa934091776fb136ec36063ea6.exe
1236	6bca8daa934091776fb136ec36063ea6.exe
928	soedvr.exe
928	soedvr.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	soedvr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	soedvr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	soedvr.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 928 set thread context of 868	928	soedvr.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
928	soedvr.exe
928	soedvr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	soedvr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
868	soedvr.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 928	1236	6bca8daa934091776fb136ec36063ea6.exe	28
PID 1236 wrote to memory of 928	1236	6bca8daa934091776fb136ec36063ea6.exe	28
PID 1236 wrote to memory of 928	1236	6bca8daa934091776fb136ec36063ea6.exe	28
PID 1236 wrote to memory of 928	1236	6bca8daa934091776fb136ec36063ea6.exe	28
PID 928 wrote to memory of 1536	928	soedvr.exe	29
PID 928 wrote to memory of 1536	928	soedvr.exe	29
PID 928 wrote to memory of 1536	928	soedvr.exe	29
PID 928 wrote to memory of 1536	928	soedvr.exe	29
PID 928 wrote to memory of 868	928	soedvr.exe	30
PID 928 wrote to memory of 868	928	soedvr.exe	30
PID 928 wrote to memory of 868	928	soedvr.exe	30
PID 928 wrote to memory of 868	928	soedvr.exe	30
PID 928 wrote to memory of 868	928	soedvr.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	soedvr.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	soedvr.exe

C:\Users\Admin\AppData\Local\Temp\6bca8daa934091776fb136ec36063ea6.exe
"C:\Users\Admin\AppData\Local\Temp\6bca8daa934091776fb136ec36063ea6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\soedvr.exe
  "C:\Users\Admin\AppData\Local\Temp\soedvr.exe" C:\Users\Admin\AppData\Local\Temp\umcjtwav.nfl
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Users\Admin\AppData\Local\Temp\soedvr.exe
    "C:\Users\Admin\AppData\Local\Temp\soedvr.exe"
    3⤵
    - Executes dropped EXE
    PID:1536
- - C:\Users\Admin\AppData\Local\Temp\soedvr.exe
    "C:\Users\Admin\AppData\Local\Temp\soedvr.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\mfifcwbysq.w

Filesize
262KB

MD5
e653f76fc6f8c125b5625be4e810fcff

SHA1
3de65934278333b6049ebfc6663f01079094947e

SHA256
5c8e03d201b0204d7bf4959c6d66ad2fd0976c4debe71d22f90b610cd7344176

SHA512
ce0e577cc8977df5265fac12c8cce73d5007585ad9f5f5f6c9db66b3ea48c02c6a281d45aabb3a3ef89ed2d6f063b125245c5487d95e4627c74af81444a6c6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\soedvr.exe

Filesize
60KB

MD5
b95a324e738593b23f90429013da8d63

SHA1
d757f975cb642a16715afd537d2a82dbf4b63846

SHA256
4fb4a7749f1c6406522ea5e7b0c2d02783785c76bb35c0384729d1ffd634e088

SHA512
e94eeb2f9edf6971f75d3aa02a1dfe98bdd454f7d82e6753a11ffa92f96bace93d7e2a4961c9aafcb3b1bbb8a1412111616bbcb05512431e26eb0eb843831032

Download Submit
C:\Users\Admin\AppData\Local\Temp\soedvr.exe

Filesize
60KB

MD5
b95a324e738593b23f90429013da8d63

SHA1
d757f975cb642a16715afd537d2a82dbf4b63846

SHA256
4fb4a7749f1c6406522ea5e7b0c2d02783785c76bb35c0384729d1ffd634e088

SHA512
e94eeb2f9edf6971f75d3aa02a1dfe98bdd454f7d82e6753a11ffa92f96bace93d7e2a4961c9aafcb3b1bbb8a1412111616bbcb05512431e26eb0eb843831032

Download Submit
C:\Users\Admin\AppData\Local\Temp\soedvr.exe

Filesize
60KB

MD5
b95a324e738593b23f90429013da8d63

SHA1
d757f975cb642a16715afd537d2a82dbf4b63846

SHA256
4fb4a7749f1c6406522ea5e7b0c2d02783785c76bb35c0384729d1ffd634e088

SHA512
e94eeb2f9edf6971f75d3aa02a1dfe98bdd454f7d82e6753a11ffa92f96bace93d7e2a4961c9aafcb3b1bbb8a1412111616bbcb05512431e26eb0eb843831032

Download Submit
C:\Users\Admin\AppData\Local\Temp\soedvr.exe

Filesize
60KB

MD5
b95a324e738593b23f90429013da8d63

SHA1
d757f975cb642a16715afd537d2a82dbf4b63846

SHA256
4fb4a7749f1c6406522ea5e7b0c2d02783785c76bb35c0384729d1ffd634e088

SHA512
e94eeb2f9edf6971f75d3aa02a1dfe98bdd454f7d82e6753a11ffa92f96bace93d7e2a4961c9aafcb3b1bbb8a1412111616bbcb05512431e26eb0eb843831032

Download Submit
C:\Users\Admin\AppData\Local\Temp\soedvr.exe

Filesize
60KB

MD5
b95a324e738593b23f90429013da8d63

SHA1
d757f975cb642a16715afd537d2a82dbf4b63846

SHA256
4fb4a7749f1c6406522ea5e7b0c2d02783785c76bb35c0384729d1ffd634e088

SHA512
e94eeb2f9edf6971f75d3aa02a1dfe98bdd454f7d82e6753a11ffa92f96bace93d7e2a4961c9aafcb3b1bbb8a1412111616bbcb05512431e26eb0eb843831032

Download Submit
C:\Users\Admin\AppData\Local\Temp\umcjtwav.nfl

Filesize
5KB

MD5
2e161d1cbda8e0f62cb62c12df50e646

SHA1
ff68f78b4493044f5159b8acca6b99cd9e6d998e

SHA256
84889f1fdba88e444d7b6d21b775e747fc032dab38e0f2e9d4544b220eaad774

SHA512
4d3cd26ce1157283cb0f5ee0a082f60db08e3c7c913bdedfe6905d4e021a04cbe209ed10c77ac99cdcf57380b79108b17f8da6038b33e59fe64d72349fe62877

Download Submit
\Users\Admin\AppData\Local\Temp\soedvr.exe

Filesize
60KB

MD5
b95a324e738593b23f90429013da8d63

SHA1
d757f975cb642a16715afd537d2a82dbf4b63846

SHA256
4fb4a7749f1c6406522ea5e7b0c2d02783785c76bb35c0384729d1ffd634e088

SHA512
e94eeb2f9edf6971f75d3aa02a1dfe98bdd454f7d82e6753a11ffa92f96bace93d7e2a4961c9aafcb3b1bbb8a1412111616bbcb05512431e26eb0eb843831032

Download Submit
\Users\Admin\AppData\Local\Temp\soedvr.exe

Filesize
60KB

MD5
b95a324e738593b23f90429013da8d63

SHA1
d757f975cb642a16715afd537d2a82dbf4b63846

SHA256
4fb4a7749f1c6406522ea5e7b0c2d02783785c76bb35c0384729d1ffd634e088

SHA512
e94eeb2f9edf6971f75d3aa02a1dfe98bdd454f7d82e6753a11ffa92f96bace93d7e2a4961c9aafcb3b1bbb8a1412111616bbcb05512431e26eb0eb843831032

Download Submit
\Users\Admin\AppData\Local\Temp\soedvr.exe

Filesize
60KB

MD5
b95a324e738593b23f90429013da8d63

SHA1
d757f975cb642a16715afd537d2a82dbf4b63846

SHA256
4fb4a7749f1c6406522ea5e7b0c2d02783785c76bb35c0384729d1ffd634e088

SHA512
e94eeb2f9edf6971f75d3aa02a1dfe98bdd454f7d82e6753a11ffa92f96bace93d7e2a4961c9aafcb3b1bbb8a1412111616bbcb05512431e26eb0eb843831032

Download Submit
\Users\Admin\AppData\Local\Temp\soedvr.exe

Filesize
60KB

MD5
b95a324e738593b23f90429013da8d63

SHA1
d757f975cb642a16715afd537d2a82dbf4b63846

SHA256
4fb4a7749f1c6406522ea5e7b0c2d02783785c76bb35c0384729d1ffd634e088

SHA512
e94eeb2f9edf6971f75d3aa02a1dfe98bdd454f7d82e6753a11ffa92f96bace93d7e2a4961c9aafcb3b1bbb8a1412111616bbcb05512431e26eb0eb843831032

Download Submit
memory/868-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-75-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-76-0x00000000001F0000-0x0000000000220000-memory.dmp

Filesize
192KB

Download
memory/868-77-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/868-78-0x0000000004310000-0x0000000004350000-memory.dmp

Filesize
256KB

Download