agenttesla | a7c284be487a9a722313747a9d976173d074e4463ededc53668cd925b7793147

General

Target

QUOTATION#235878.exe
Size

893KB
MD5

87a0518430f27f497e7d311547c3cc49
SHA1

3105b3ed593ca26a4faaf253c8ad037a8adacf8e
SHA256

a7c284be487a9a722313747a9d976173d074e4463ededc53668cd925b7793147
SHA512

3102f443d1865bfb69cf204b067493861aaf40e4245fda3c1bfa987f29100eb75aee10f4f56cfe49eb9dd55b6f957a0c3a34ed96bc5803dbb76b622c7464a6f7
SSDEEP

12288:d+nA3fWDsZt6wlr0T4ytyFAGuNPeG9rHJRhip1qJv6nnjqKoea:AA3fWDsT6wl0ByJRG973CqZ6nnjqKoea

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.code-jet.com
Port:
21
Username:
[email protected]
Password:
Xec[t)4]dk2D

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\newapp = "C:\\Users\\Admin\\AppData\\Roaming\\newapp\\newapp.exe"	jsc.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

QUOTATION#235878.exe

description pid process target process

PID 1928 set thread context of 1328 1928 QUOTATION#235878.exe jsc.exe

flow	ioc
3	api.ipify.org
4	api.ipify.org

description	pid	process	target process
PID 1928 set thread context of 1328	1928	QUOTATION#235878.exe	jsc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

QUOTATION#235878.exe

pid	process
1928	QUOTATION#235878.exe
1928	QUOTATION#235878.exe
1928	QUOTATION#235878.exe
1928	QUOTATION#235878.exe
1928	QUOTATION#235878.exe
1928	QUOTATION#235878.exe
1928	QUOTATION#235878.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

QUOTATION#235878.exejsc.exe

description pid process

Token: SeDebugPrivilege 1928 QUOTATION#235878.exe
Token: SeDebugPrivilege 1328 jsc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jsc.exe

pid process

1328 jsc.exe

description	pid	process
Token: SeDebugPrivilege	1928	QUOTATION#235878.exe
Token: SeDebugPrivilege	1328	jsc.exe

pid	process
1328	jsc.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

QUOTATION#235878.exe

description	pid	process	target process
PID 1928 wrote to memory of 1924	1928	QUOTATION#235878.exe	cvtres.exe
PID 1928 wrote to memory of 1924	1928	QUOTATION#235878.exe	cvtres.exe
PID 1928 wrote to memory of 1924	1928	QUOTATION#235878.exe	cvtres.exe
PID 1928 wrote to memory of 1908	1928	QUOTATION#235878.exe	aspnet_compiler.exe
PID 1928 wrote to memory of 1908	1928	QUOTATION#235878.exe	aspnet_compiler.exe
PID 1928 wrote to memory of 1908	1928	QUOTATION#235878.exe	aspnet_compiler.exe
PID 1928 wrote to memory of 528	1928	QUOTATION#235878.exe	aspnet_regsql.exe
PID 1928 wrote to memory of 528	1928	QUOTATION#235878.exe	aspnet_regsql.exe
PID 1928 wrote to memory of 528	1928	QUOTATION#235878.exe	aspnet_regsql.exe
PID 1928 wrote to memory of 572	1928	QUOTATION#235878.exe	ngen.exe
PID 1928 wrote to memory of 572	1928	QUOTATION#235878.exe	ngen.exe
PID 1928 wrote to memory of 572	1928	QUOTATION#235878.exe	ngen.exe
PID 1928 wrote to memory of 1064	1928	QUOTATION#235878.exe	MSBuild.exe
PID 1928 wrote to memory of 1064	1928	QUOTATION#235878.exe	MSBuild.exe
PID 1928 wrote to memory of 1064	1928	QUOTATION#235878.exe	MSBuild.exe
PID 1928 wrote to memory of 608	1928	QUOTATION#235878.exe	aspnet_wp.exe
PID 1928 wrote to memory of 608	1928	QUOTATION#235878.exe	aspnet_wp.exe
PID 1928 wrote to memory of 608	1928	QUOTATION#235878.exe	aspnet_wp.exe
PID 1928 wrote to memory of 1428	1928	QUOTATION#235878.exe	RegAsm.exe
PID 1928 wrote to memory of 1428	1928	QUOTATION#235878.exe	RegAsm.exe
PID 1928 wrote to memory of 1428	1928	QUOTATION#235878.exe	RegAsm.exe
PID 1928 wrote to memory of 1328	1928	QUOTATION#235878.exe	jsc.exe
PID 1928 wrote to memory of 1328	1928	QUOTATION#235878.exe	jsc.exe
PID 1928 wrote to memory of 1328	1928	QUOTATION#235878.exe	jsc.exe
PID 1928 wrote to memory of 1328	1928	QUOTATION#235878.exe	jsc.exe
PID 1928 wrote to memory of 1328	1928	QUOTATION#235878.exe	jsc.exe
PID 1928 wrote to memory of 1328	1928	QUOTATION#235878.exe	jsc.exe
PID 1928 wrote to memory of 1328	1928	QUOTATION#235878.exe	jsc.exe
PID 1928 wrote to memory of 1328	1928	QUOTATION#235878.exe	jsc.exe
PID 1928 wrote to memory of 1328	1928	QUOTATION#235878.exe	jsc.exe

outlook_office_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION#235878.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION#235878.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:1924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-57-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1328-61-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1328-59-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1328-62-0x0000000004C50000-0x0000000004C90000-memory.dmp

Filesize
256KB

Download
memory/1328-82-0x0000000004C50000-0x0000000004C90000-memory.dmp

Filesize
256KB

Download
memory/1928-54-0x00000000012E0000-0x00000000013C4000-memory.dmp

Filesize
912KB

Download
memory/1928-55-0x000000001A7D0000-0x000000001A876000-memory.dmp

Filesize
664KB

Download
memory/1928-56-0x000000001B2E0000-0x000000001B360000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads