agenttesla | d32bba142663cd6203437f8295f7825cd552326b4b0fdb026167cb4d19ba9cd7

Analysis

max time kernel
46s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/03/2023, 08:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

doc10010679052382012143717.exe
Size

1.0MB
MD5

1df06ea86eaac59f70bfb0644f3ad683
SHA1

91e7dea1ab7bf436fc4837df885f167c1dc91d21
SHA256

34f94d5066b7b34db54d13762f1f3b11ac1b4cdfb971cc822bc3c4d9a7394994
SHA512

0f2cf855ec05185d4fb046f4552d742a14dad9fdf78e58daa4fe77f96b8afbe83f5c97cf2d064bfbcd2ce071a7499226a39dd969edfdeecc4a2129c476b71cd4
SSDEEP

24576:/TbBv5rULmVeLmvdWULotH9NwCLmtmH6opxUPYhLKX5yaUr:JBVVgeoULGHjVStmHXxUPYc2

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5729374237:AAEdSD-W5rWlJyyU5nwVKvjLxJBT1jTdKRY/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
1084	kqdhcuu.pif
1732	RegSvcs.exe

Loads dropped DLL 2 IoCs

pid	Process
640	wscript.exe
1084	kqdhcuu.pif

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlvf\\kqdhcuu.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\tlvf\\gkbx.pdf"	kqdhcuu.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	kqdhcuu.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1084 set thread context of 1732	1084	kqdhcuu.pif	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1732	RegSvcs.exe
1732	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1732	RegSvcs.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 640	1676	doc10010679052382012143717.exe	28
PID 1676 wrote to memory of 640	1676	doc10010679052382012143717.exe	28
PID 1676 wrote to memory of 640	1676	doc10010679052382012143717.exe	28
PID 1676 wrote to memory of 640	1676	doc10010679052382012143717.exe	28
PID 640 wrote to memory of 1084	640	wscript.exe	29
PID 640 wrote to memory of 1084	640	wscript.exe	29
PID 640 wrote to memory of 1084	640	wscript.exe	29
PID 640 wrote to memory of 1084	640	wscript.exe	29
PID 640 wrote to memory of 1084	640	wscript.exe	29
PID 640 wrote to memory of 1084	640	wscript.exe	29
PID 640 wrote to memory of 1084	640	wscript.exe	29
PID 1084 wrote to memory of 1732	1084	kqdhcuu.pif	30
PID 1084 wrote to memory of 1732	1084	kqdhcuu.pif	30
PID 1084 wrote to memory of 1732	1084	kqdhcuu.pif	30
PID 1084 wrote to memory of 1732	1084	kqdhcuu.pif	30
PID 1084 wrote to memory of 1732	1084	kqdhcuu.pif	30
PID 1084 wrote to memory of 1732	1084	kqdhcuu.pif	30
PID 1084 wrote to memory of 1732	1084	kqdhcuu.pif	30
PID 1084 wrote to memory of 1732	1084	kqdhcuu.pif	30
PID 1084 wrote to memory of 1732	1084	kqdhcuu.pif	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\doc10010679052382012143717.exe
"C:\Users\Admin\AppData\Local\Temp\doc10010679052382012143717.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\System32\wscript.exe" Update-oa.j.vbe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\tlvf\kqdhcuu.pif
    "C:\Users\Admin\AppData\Local\Temp\tlvf\kqdhcuu.pif" gkbx.pdf
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlvf\dtlkhmv.psr

Filesize
371KB

MD5
cd44636dfdab80ab3fb27007d0b4a2ed

SHA1
89d262ea585cf07cfb6f5780b8180984f9ca7c7c

SHA256
1f67c7fe1ff42a1c936b4fafc40dbaadc6df622e25ccbc0129348c5147019850

SHA512
bbe96af6c359437a2fc4e796eb9f9f04a3715c120445684af37349b8edccd3fe09792953d9af19a3228948f1e7c4f827c7d2463cecdcf7507b9926cbdb778022

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlvf\gkbx.pdf

Filesize
107.0MB

MD5
b5a3496af224344711be6ee5c3421391

SHA1
c27204978131e46528b059f7f7b65d38fe8391a5

SHA256
ee26c4ae27e2d1ff2d57ba55b4bd21c9d9cce557d08a5629c47356fd03dd0127

SHA512
6db11ad2a8e009d9b3d3336a471bd1bbe5bfebaae8e6b2e2506d6cef9d4551d6c48015a2d7e42540324ba5092e5a1f97589d919d9938ce81e71b2d3a4c2e853a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlvf\jjffce.txt

Filesize
40KB

MD5
400dbaffca2b38ea360460a0d70917aa

SHA1
d5324f87b4cb0912e16fd5e5c58d3be98cecaf42

SHA256
35bc46e536e7a6f92b854e2049ced53af7d59664eff0989dcccae1f6f6d20b51

SHA512
777cf7f98419e3299cb11b92035a41a59ba04b9acb7f0984ef935dc92a4892608b43d49c38a026809c46c35f9c509c1ef817351e3f6cab6d52356ba0b8a81e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlvf\kqdhcuu.pif

Filesize
1.1MB

MD5
ebbc4d8e41618c39d935f9081cfec59a

SHA1
bd84f38a278e088248a245c7ef703ed02cfd12ab

SHA256
a4e0782f1fe122d36e64305ef8fbf5870207ee85cc5ed2fb72de4bf26ad62d45

SHA512
0c959a6998664a21cbb33754055aaa318f7e538933ba62cd9c08d498fb73bce40a46a12b976f5edf8aea40d5b811f8a387ab20806821fc97f2c9996c26057c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlvf\kqdhcuu.pif

Filesize
1.1MB

MD5
ebbc4d8e41618c39d935f9081cfec59a

SHA1
bd84f38a278e088248a245c7ef703ed02cfd12ab

SHA256
a4e0782f1fe122d36e64305ef8fbf5870207ee85cc5ed2fb72de4bf26ad62d45

SHA512
0c959a6998664a21cbb33754055aaa318f7e538933ba62cd9c08d498fb73bce40a46a12b976f5edf8aea40d5b811f8a387ab20806821fc97f2c9996c26057c7c

Download Submit
C:\Users\Admin\AppData\Local\temp\tlvf\Update-oa.j.vbe

Filesize
64KB

MD5
637e5b82549f83cb05b74d9169ef9e91

SHA1
9cfc2c3e354f0805bcd6f84b508df9684230b627

SHA256
fc15f3c712f01e73e16583178d44d2c53d574acb9ac0f613f7501dafb1abe623

SHA512
fd81299c18615e611c972f1afa1003345b112226997d5a5b8492eaa2e2bdb8df15630596bb66a8910f5b8f1d9289bd3ac97d61611bf7436190855a08997ce573

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\tlvf\kqdhcuu.pif

Filesize
1.1MB

MD5
ebbc4d8e41618c39d935f9081cfec59a

SHA1
bd84f38a278e088248a245c7ef703ed02cfd12ab

SHA256
a4e0782f1fe122d36e64305ef8fbf5870207ee85cc5ed2fb72de4bf26ad62d45

SHA512
0c959a6998664a21cbb33754055aaa318f7e538933ba62cd9c08d498fb73bce40a46a12b976f5edf8aea40d5b811f8a387ab20806821fc97f2c9996c26057c7c

Download Submit
memory/1732-111-0x00000000002B0000-0x0000000000994000-memory.dmp

Filesize
6.9MB

Download
memory/1732-113-0x00000000002B0000-0x0000000000994000-memory.dmp

Filesize
6.9MB

Download
memory/1732-116-0x00000000002B0000-0x0000000000994000-memory.dmp

Filesize
6.9MB

Download
memory/1732-118-0x00000000002B0000-0x0000000000994000-memory.dmp

Filesize
6.9MB

Download
memory/1732-112-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1732-120-0x00000000002B0000-0x00000000002EA000-memory.dmp

Filesize
232KB

Download
memory/1732-121-0x0000000005180000-0x00000000051C0000-memory.dmp

Filesize
256KB

Download
memory/1732-122-0x0000000005180000-0x00000000051C0000-memory.dmp

Filesize
256KB

Download
memory/1732-123-0x0000000005180000-0x00000000051C0000-memory.dmp

Filesize
256KB

Download