agenttesla | 2f88698d6605aa5a9ca6d0ee49228ab4e0c073b5a08096f46895d02f91d71e0c

General

Target

5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
Size

1.1MB
MD5

5b1f4e2b1ae240311980d2f6186cf88e
SHA1

36e0e9c15f9d21c9ecbd40ac3bdf03ab34245c82
SHA256

5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1
SHA512

42db37dbf80ce648f72e7afcb8be38b9c81c30e366531d913b9e690c69312d551ef217e343a8810e1c024124cc516df9108ecb299533357ad818e20bd1ab2162
SSDEEP

12288:zWHNC1Q/rusz7NxS+Q7+GvwP2FAihZ+YBtskhYT75geR5Of6oAGGomaJQWRu125X:sLGHK5EGjtWo1raPMVu

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.mibmglobal.com
Port:
587
Username:
kavita@mibmglobal.com
Password:
mibmg3010!
Email To:
davidsurly1@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe

description	pid	process	target process
PID 2036 set thread context of 2104	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe

pid	process
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
Token: SeDebugPrivilege	2104	AddInProcess32.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe

description	pid	process	target process
PID 2036 wrote to memory of 3816	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	AddInUtil.exe
PID 2036 wrote to memory of 3816	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	AddInUtil.exe
PID 2036 wrote to memory of 1944	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	jsc.exe
PID 2036 wrote to memory of 1944	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	jsc.exe
PID 2036 wrote to memory of 1944	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	jsc.exe
PID 2036 wrote to memory of 372	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	cvtres.exe
PID 2036 wrote to memory of 372	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	cvtres.exe
PID 2036 wrote to memory of 4112	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	aspnet_regbrowsers.exe
PID 2036 wrote to memory of 4112	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	aspnet_regbrowsers.exe
PID 2036 wrote to memory of 1876	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	ngentask.exe
PID 2036 wrote to memory of 1876	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	ngentask.exe
PID 2036 wrote to memory of 2872	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	MSBuild.exe
PID 2036 wrote to memory of 2872	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	MSBuild.exe
PID 2036 wrote to memory of 2056	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	EdmGen.exe
PID 2036 wrote to memory of 2056	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	EdmGen.exe
PID 2036 wrote to memory of 2252	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	RegAsm.exe
PID 2036 wrote to memory of 2252	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	RegAsm.exe
PID 2036 wrote to memory of 2180	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	dfsvc.exe
PID 2036 wrote to memory of 2180	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	dfsvc.exe
PID 2036 wrote to memory of 2124	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	SMSvcHost.exe
PID 2036 wrote to memory of 2124	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	SMSvcHost.exe
PID 2036 wrote to memory of 3808	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	DataSvcUtil.exe
PID 2036 wrote to memory of 3808	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	DataSvcUtil.exe
PID 2036 wrote to memory of 2104	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	AddInProcess32.exe
PID 2036 wrote to memory of 2104	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	AddInProcess32.exe
PID 2036 wrote to memory of 2104	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	AddInProcess32.exe
PID 2036 wrote to memory of 2104	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	AddInProcess32.exe
PID 2036 wrote to memory of 2104	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	AddInProcess32.exe
PID 2036 wrote to memory of 2104	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	AddInProcess32.exe
PID 2036 wrote to memory of 2104	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	AddInProcess32.exe
PID 2036 wrote to memory of 2104	2036	5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe	AddInProcess32.exe

outlook_office_path 1 IoCs

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

outlook_win_path 1 IoCs

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
"C:\Users\Admin\AppData\Local\Temp\5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
2⤵
PID:3816

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
PID:1944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
2⤵
PID:372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:4112

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
2⤵
PID:1876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
2⤵
PID:2872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
2⤵
PID:2056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
2⤵
PID:2252

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
PID:2180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
2⤵
PID:2124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:3808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2036-133-0x000001DCB1D80000-0x000001DCB1EA6000-memory.dmp

Filesize
1.1MB

Download
memory/2036-134-0x000001DCCD670000-0x000001DCCD680000-memory.dmp

Filesize
64KB

Download
memory/2104-135-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2104-137-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/2104-138-0x0000000004F10000-0x0000000004F76000-memory.dmp

Filesize
408KB

Download
memory/2104-139-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/2104-140-0x0000000006060000-0x00000000060F2000-memory.dmp

Filesize
584KB

Download
memory/2104-141-0x0000000006100000-0x000000000610A000-memory.dmp

Filesize
40KB

Download
memory/2104-142-0x0000000006240000-0x0000000006290000-memory.dmp

Filesize
320KB

Download
memory/2104-143-0x0000000006460000-0x0000000006622000-memory.dmp

Filesize
1.8MB

Download
memory/2104-144-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads