agenttesla | 01aa40d1ee37ea9ec70250b1c68030031f22ef4af010f50b5b9b26c724e1d68d

General

Target

New Order.exe
Size

1.1MB
MD5

689c1747e952be68eeaa28ecf3e36a90
SHA1

2c3c22cb6fc8c949f06b6c7b3e032776cc247bd1
SHA256

e0e1212ebf49244da1fd93d30b121e936b46d03b9879924a63402de69e225e2b
SHA512

82c7d63e730bc10ab2dc4648d512385d89b5af293168b4344d08688fffbf9e49ba7c4a999a9cd88d489c6c1c21578d78f2ebdd5a4d4d0e94a7ddfbc39561cbaf
SSDEEP

12288:d2iNo3XdJVZz5dB3HWXtLUphPCI0EGpF+fasTi6dsCM6D1IlnOh4HSlG+5q6waGd:d12zVZ97HW5ko29ZTT+Yb+HqM60cq

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

New Order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

New Order.exe

description pid process target process

PID 1344 set thread context of 912 1344 New Order.exe New Order.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1192 schtasks.exe

description	pid	process	target process
PID 1344 set thread context of 912	1344	New Order.exe	New Order.exe

pid	process
1192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

New Order.exepowershell.exepowershell.exe

pid	process
1344	New Order.exe
1344	New Order.exe
1344	New Order.exe
1344	New Order.exe
1344	New Order.exe
1344	New Order.exe
1344	New Order.exe
1344	New Order.exe
1312	powershell.exe
1164	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

New Order.exeNew Order.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1344	New Order.exe
Token: SeDebugPrivilege	912	New Order.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

New Order.exe

description	pid	process	target process
PID 1344 wrote to memory of 1312	1344	New Order.exe	powershell.exe
PID 1344 wrote to memory of 1312	1344	New Order.exe	powershell.exe
PID 1344 wrote to memory of 1312	1344	New Order.exe	powershell.exe
PID 1344 wrote to memory of 1312	1344	New Order.exe	powershell.exe
PID 1344 wrote to memory of 1164	1344	New Order.exe	powershell.exe
PID 1344 wrote to memory of 1164	1344	New Order.exe	powershell.exe
PID 1344 wrote to memory of 1164	1344	New Order.exe	powershell.exe
PID 1344 wrote to memory of 1164	1344	New Order.exe	powershell.exe
PID 1344 wrote to memory of 1192	1344	New Order.exe	schtasks.exe
PID 1344 wrote to memory of 1192	1344	New Order.exe	schtasks.exe
PID 1344 wrote to memory of 1192	1344	New Order.exe	schtasks.exe
PID 1344 wrote to memory of 1192	1344	New Order.exe	schtasks.exe
PID 1344 wrote to memory of 912	1344	New Order.exe	New Order.exe
PID 1344 wrote to memory of 912	1344	New Order.exe	New Order.exe
PID 1344 wrote to memory of 912	1344	New Order.exe	New Order.exe
PID 1344 wrote to memory of 912	1344	New Order.exe	New Order.exe
PID 1344 wrote to memory of 912	1344	New Order.exe	New Order.exe
PID 1344 wrote to memory of 912	1344	New Order.exe	New Order.exe
PID 1344 wrote to memory of 912	1344	New Order.exe	New Order.exe
PID 1344 wrote to memory of 912	1344	New Order.exe	New Order.exe
PID 1344 wrote to memory of 912	1344	New Order.exe	New Order.exe

outlook_office_path 1 IoCs

Processes:

New Order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe

outlook_win_path 1 IoCs

Processes:

New Order.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	New Order.exe

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tiSwlXoCtZ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tiSwlXoCtZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFAF3.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\New Order.exe
  "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFAF3.tmp

Filesize
1KB

MD5
39281140345bf0ceba2338a1fd9183bb

SHA1
5ca61c0bb34f0894a872954f96e99e1a16a15296

SHA256
a071c36c821c6510391af7ff2bfa6654542a8f7449a7de2e2034f5819281bf54

SHA512
6e002766a5c2d777b70a1de0b3148eafeff74afdac91e5586d0c9443de06f5b7569eb5f087c5b70b7445d6f21b89ba83e7a90de6382fe88f59f42209e08d3767

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C17M1QIP36IEQVAUPKB1.temp

Filesize
7KB

MD5
1590237943bb1b657de3aefe18d79896

SHA1
62a73b8da15aa45b829eb00cce334d9e78ca6284

SHA256
c7c683e3cbbcb9fd2e8e2ebfa9a0213a43d460e371bc5725deddbd80d9c92078

SHA512
3f8659847d2d4bbf0b2eab6e5b7b2e431ce65204912d55466276fbaacd4105fbb2ad7131076619c0b9837da13dc410d6098f702e9f0c36bf44d046c502a9fc17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1590237943bb1b657de3aefe18d79896

SHA1
62a73b8da15aa45b829eb00cce334d9e78ca6284

SHA256
c7c683e3cbbcb9fd2e8e2ebfa9a0213a43d460e371bc5725deddbd80d9c92078

SHA512
3f8659847d2d4bbf0b2eab6e5b7b2e431ce65204912d55466276fbaacd4105fbb2ad7131076619c0b9837da13dc410d6098f702e9f0c36bf44d046c502a9fc17

Download Submit
memory/912-78-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/912-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/912-82-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/912-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/912-76-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/912-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/912-74-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/912-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1164-84-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/1312-83-0x0000000002350000-0x0000000002390000-memory.dmp

Filesize
256KB

Download
memory/1344-72-0x0000000000FF0000-0x0000000001022000-memory.dmp

Filesize
200KB

Download
memory/1344-55-0x0000000004D40000-0x0000000004D80000-memory.dmp

Filesize
256KB

Download
memory/1344-56-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/1344-57-0x0000000004D40000-0x0000000004D80000-memory.dmp

Filesize
256KB

Download
memory/1344-54-0x0000000001020000-0x0000000001138000-memory.dmp

Filesize
1.1MB

Download
memory/1344-58-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/1344-59-0x0000000005580000-0x000000000562A000-memory.dmp

Filesize
680KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads