agenttesla | c5b618054d855fffed65dc372080cdc5de39ca31edd513e7765a02c64f9b9e1b

General

Target

Cotización-202002721.pdf.exe
Size

473KB
MD5

bf2d6295a7e04f44e50101fd3df6b34f
SHA1

223321e3e18c453875f4d625b1327b8a8e05de1a
SHA256

c5b618054d855fffed65dc372080cdc5de39ca31edd513e7765a02c64f9b9e1b
SHA512

fcec0b125961d7ae9f1672e85e61ff0c58a0aa58a3a0686816c32be0581352c08a7a46b16bbe9073f640d26e81b1cd7a0791aa5ea44380b2defb5342db2f79e6
SSDEEP

12288:943FAhu8y7mMaBXkiB/ZrLX/qFiyDwHi220AbWxQhi:e3FSunDuXBX62gvs

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.itzayanaland.com
Port:
587
Username:
security01@itzayanaland.com
Password:
H!S6_PFHTAN{
Email To:
security01@itzayanaland.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Cotización-202002721.pdf.exe

description pid process target process

PID 3888 set thread context of 4164 3888 Cotización-202002721.pdf.exe AddInProcess32.exe

description	pid	process	target process
PID 3888 set thread context of 4164	3888	Cotización-202002721.pdf.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

Cotización-202002721.pdf.exe

pid	process
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe
3888	Cotización-202002721.pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Cotización-202002721.pdf.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 3888 Cotización-202002721.pdf.exe
Token: SeDebugPrivilege 4164 AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	3888	Cotización-202002721.pdf.exe
Token: SeDebugPrivilege	4164	AddInProcess32.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

Cotización-202002721.pdf.exe

description	pid	process	target process
PID 3888 wrote to memory of 2192	3888	Cotización-202002721.pdf.exe	ilasm.exe
PID 3888 wrote to memory of 2192	3888	Cotización-202002721.pdf.exe	ilasm.exe
PID 3888 wrote to memory of 3924	3888	Cotización-202002721.pdf.exe	DataSvcUtil.exe
PID 3888 wrote to memory of 3924	3888	Cotización-202002721.pdf.exe	DataSvcUtil.exe
PID 3888 wrote to memory of 4404	3888	Cotización-202002721.pdf.exe	RegAsm.exe
PID 3888 wrote to memory of 4404	3888	Cotización-202002721.pdf.exe	RegAsm.exe
PID 3888 wrote to memory of 552	3888	Cotización-202002721.pdf.exe	AddInUtil.exe
PID 3888 wrote to memory of 552	3888	Cotización-202002721.pdf.exe	AddInUtil.exe
PID 3888 wrote to memory of 1416	3888	Cotización-202002721.pdf.exe	SMSvcHost.exe
PID 3888 wrote to memory of 1416	3888	Cotización-202002721.pdf.exe	SMSvcHost.exe
PID 3888 wrote to memory of 3700	3888	Cotización-202002721.pdf.exe	EdmGen.exe
PID 3888 wrote to memory of 3700	3888	Cotización-202002721.pdf.exe	EdmGen.exe
PID 3888 wrote to memory of 4112	3888	Cotización-202002721.pdf.exe	aspnet_compiler.exe
PID 3888 wrote to memory of 4112	3888	Cotización-202002721.pdf.exe	aspnet_compiler.exe
PID 3888 wrote to memory of 2264	3888	Cotización-202002721.pdf.exe	aspnet_state.exe
PID 3888 wrote to memory of 2264	3888	Cotización-202002721.pdf.exe	aspnet_state.exe
PID 3888 wrote to memory of 5104	3888	Cotización-202002721.pdf.exe	ComSvcConfig.exe
PID 3888 wrote to memory of 5104	3888	Cotización-202002721.pdf.exe	ComSvcConfig.exe
PID 3888 wrote to memory of 3376	3888	Cotización-202002721.pdf.exe	AppLaunch.exe
PID 3888 wrote to memory of 3376	3888	Cotización-202002721.pdf.exe	AppLaunch.exe
PID 3888 wrote to memory of 4316	3888	Cotización-202002721.pdf.exe	Microsoft.Workflow.Compiler.exe
PID 3888 wrote to memory of 4316	3888	Cotización-202002721.pdf.exe	Microsoft.Workflow.Compiler.exe
PID 3888 wrote to memory of 4324	3888	Cotización-202002721.pdf.exe	aspnet_wp.exe
PID 3888 wrote to memory of 4324	3888	Cotización-202002721.pdf.exe	aspnet_wp.exe
PID 3888 wrote to memory of 4328	3888	Cotización-202002721.pdf.exe	cvtres.exe
PID 3888 wrote to memory of 4328	3888	Cotización-202002721.pdf.exe	cvtres.exe
PID 3888 wrote to memory of 4344	3888	Cotización-202002721.pdf.exe	mscorsvw.exe
PID 3888 wrote to memory of 4344	3888	Cotización-202002721.pdf.exe	mscorsvw.exe
PID 3888 wrote to memory of 5096	3888	Cotización-202002721.pdf.exe	ServiceModelReg.exe
PID 3888 wrote to memory of 5096	3888	Cotización-202002721.pdf.exe	ServiceModelReg.exe
PID 3888 wrote to memory of 4376	3888	Cotización-202002721.pdf.exe	RegSvcs.exe
PID 3888 wrote to memory of 4376	3888	Cotización-202002721.pdf.exe	RegSvcs.exe
PID 3888 wrote to memory of 1888	3888	Cotización-202002721.pdf.exe	csc.exe
PID 3888 wrote to memory of 1888	3888	Cotización-202002721.pdf.exe	csc.exe
PID 3888 wrote to memory of 1292	3888	Cotización-202002721.pdf.exe	aspnet_regsql.exe
PID 3888 wrote to memory of 1292	3888	Cotización-202002721.pdf.exe	aspnet_regsql.exe
PID 3888 wrote to memory of 4164	3888	Cotización-202002721.pdf.exe	AddInProcess32.exe
PID 3888 wrote to memory of 4164	3888	Cotización-202002721.pdf.exe	AddInProcess32.exe
PID 3888 wrote to memory of 4164	3888	Cotización-202002721.pdf.exe	AddInProcess32.exe
PID 3888 wrote to memory of 4164	3888	Cotización-202002721.pdf.exe	AddInProcess32.exe
PID 3888 wrote to memory of 4164	3888	Cotización-202002721.pdf.exe	AddInProcess32.exe
PID 3888 wrote to memory of 4164	3888	Cotización-202002721.pdf.exe	AddInProcess32.exe
PID 3888 wrote to memory of 4164	3888	Cotización-202002721.pdf.exe	AddInProcess32.exe
PID 3888 wrote to memory of 4164	3888	Cotización-202002721.pdf.exe	AddInProcess32.exe

outlook_office_path 1 IoCs

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

outlook_win_path 1 IoCs

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\Cotización-202002721.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Cotización-202002721.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:2192

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:3924

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
2⤵
PID:4404

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
2⤵
PID:552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
2⤵
PID:1416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
2⤵
PID:3700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:4112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:2264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:5104

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
2⤵
PID:3376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:4316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
2⤵
PID:4324

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
2⤵
PID:4328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
2⤵
PID:4344

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
2⤵
PID:5096

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
2⤵
PID:4376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
2⤵
PID:1888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
2⤵
PID:1292

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3888-133-0x000002AF128E0000-0x000002AF1295C000-memory.dmp

Filesize
496KB

Download
memory/3888-134-0x000002AF14770000-0x000002AF14780000-memory.dmp

Filesize
64KB

Download
memory/4164-135-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4164-137-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/4164-138-0x0000000004FF0000-0x0000000005056000-memory.dmp

Filesize
408KB

Download
memory/4164-139-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4164-140-0x0000000006140000-0x00000000061D2000-memory.dmp

Filesize
584KB

Download
memory/4164-141-0x0000000006120000-0x000000000612A000-memory.dmp

Filesize
40KB

Download
memory/4164-142-0x00000000063C0000-0x0000000006410000-memory.dmp

Filesize
320KB

Download
memory/4164-143-0x00000000065E0000-0x00000000067A2000-memory.dmp

Filesize
1.8MB

Download
memory/4164-144-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads