agenttesla | 706dcbef87d17593d63504485cca84f2ba9ceea75873d08eea041c7b5c1291ae

General

Target

ÖnderGrup-2023,jpg.exe
Size

647KB
MD5

b042d473798b5f1075e53e178ad7e0da
SHA1

422377a595c6559d0e0878bc0edc04c0d19a87e7
SHA256

706dcbef87d17593d63504485cca84f2ba9ceea75873d08eea041c7b5c1291ae
SHA512

fc1914704bd0748f1ec306b54e5e837afadc7b415ce2038191f34c452ea29ac2bbc5acbe5fa5f47117d59385f6ca9ee76a1c9ab054fca7b867e6aa6a67a2851e
SSDEEP

12288:3Yx/BJIdm3xOZHUrb4j9uTEAmHedQUrAto1:3Yx8d7erJuedsto1

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.greenvalleycharity.org
Port:
21
Username:
[email protected]
Password:
mike63976460

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

jwdwqngy.exejwdwqngy.exe

pid process

4164 jwdwqngy.exe
5060 jwdwqngy.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4164	jwdwqngy.exe
5060	jwdwqngy.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

jwdwqngy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jwdwqngy.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jwdwqngy.exe
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jwdwqngy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jwdwqngy.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Newapp = "C:\\Users\\Admin\\AppData\\Roaming\\Newapp\\Newapp.exe"	jwdwqngy.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 api.ipify.org
14 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

jwdwqngy.exe

description pid process target process

PID 4164 set thread context of 5060 4164 jwdwqngy.exe jwdwqngy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

jwdwqngy.exe

pid process

4164 jwdwqngy.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

jwdwqngy.exe

description pid process

Token: SeDebugPrivilege 5060 jwdwqngy.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jwdwqngy.exe

pid process

5060 jwdwqngy.exe

flow	ioc
13	api.ipify.org
14	api.ipify.org

description	pid	process	target process
PID 4164 set thread context of 5060	4164	jwdwqngy.exe	jwdwqngy.exe

pid	process
4164	jwdwqngy.exe

description	pid	process
Token: SeDebugPrivilege	5060	jwdwqngy.exe

pid	process
5060	jwdwqngy.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ÖnderGrup-2023,jpg.exejwdwqngy.exe

description	pid	process	target process
PID 1080 wrote to memory of 4164	1080	ÖnderGrup-2023,jpg.exe	jwdwqngy.exe
PID 1080 wrote to memory of 4164	1080	ÖnderGrup-2023,jpg.exe	jwdwqngy.exe
PID 1080 wrote to memory of 4164	1080	ÖnderGrup-2023,jpg.exe	jwdwqngy.exe
PID 4164 wrote to memory of 5060	4164	jwdwqngy.exe	jwdwqngy.exe
PID 4164 wrote to memory of 5060	4164	jwdwqngy.exe	jwdwqngy.exe
PID 4164 wrote to memory of 5060	4164	jwdwqngy.exe	jwdwqngy.exe
PID 4164 wrote to memory of 5060	4164	jwdwqngy.exe	jwdwqngy.exe

outlook_office_path 1 IoCs

Processes:

jwdwqngy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jwdwqngy.exe

outlook_win_path 1 IoCs

Processes:

jwdwqngy.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jwdwqngy.exe

C:\Users\Admin\AppData\Local\Temp\ÖnderGrup-2023,jpg.exe
"C:\Users\Admin\AppData\Local\Temp\ÖnderGrup-2023,jpg.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exe
"C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exe" C:\Users\Admin\AppData\Local\Temp\ibppwaz.pz
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4164

C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exe
"C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:5060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cqfmuven.o
Filesize
484KB

MD5
31c938ef24d29328daa90623419d755e

SHA1
551db4b18a75c35d36fe2a5f147271a3c573eaa3

SHA256
332b49c1a7ac90781f8e9caa30e32160cf292cf9ba0ee82dbe9c42080552126c

SHA512
349588db681b60104984d31a95be4ced0c429c192606987c56f68d1ba4fe83cf13b89be9867b647dec1f146c45e1b2c0a5cea3e4d65c94c8624cd94661652df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibppwaz.pz
Filesize
5KB

MD5
ee268f13d66ab09f0b273e9ec0a6ab46

SHA1
946799e5d61864e14843114d3b82f07d3d21bd96

SHA256
8081b7af19cabcf99c3bd5fb8c171ddcdfa6c373666b529513c6b1876e995e9b

SHA512
0bb1b22b454690f781d432c95f2425efe292a01751f0c68d21df31fe196c9389bacfc299fea25a184ae536921fdaf4551cf289822c879c22c96fc5d380da36a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exe
Filesize
108KB

MD5
630cbcb500563f7d4594be641b20f4c4

SHA1
3345c1a4aed091312820e02791d2de8389da576b

SHA256
1ee1e6bb891d87b93d53bea44d50e3978eb58b0555c37574a84c9c4a50bb60d3

SHA512
048c610d229e00f5dd4c590ccb905af50dad3fcf7d08d9cb90be4589a1f2ce97cc9270bbc4c243d7fc43dd4753ca08e5dc50a815f469a30d666319f24a772c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exe
Filesize
108KB

MD5
630cbcb500563f7d4594be641b20f4c4

SHA1
3345c1a4aed091312820e02791d2de8389da576b

SHA256
1ee1e6bb891d87b93d53bea44d50e3978eb58b0555c37574a84c9c4a50bb60d3

SHA512
048c610d229e00f5dd4c590ccb905af50dad3fcf7d08d9cb90be4589a1f2ce97cc9270bbc4c243d7fc43dd4753ca08e5dc50a815f469a30d666319f24a772c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exe
Filesize
108KB

MD5
630cbcb500563f7d4594be641b20f4c4

SHA1
3345c1a4aed091312820e02791d2de8389da576b

SHA256
1ee1e6bb891d87b93d53bea44d50e3978eb58b0555c37574a84c9c4a50bb60d3

SHA512
048c610d229e00f5dd4c590ccb905af50dad3fcf7d08d9cb90be4589a1f2ce97cc9270bbc4c243d7fc43dd4753ca08e5dc50a815f469a30d666319f24a772c5a

Download Submit
memory/4164-141-0x0000000000E30000-0x0000000000E32000-memory.dmp

Filesize
8KB

Download
memory/5060-147-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5060-152-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/5060-145-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5060-149-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/5060-150-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/5060-148-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/5060-142-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5060-151-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/5060-153-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/5060-144-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5060-154-0x0000000007130000-0x00000000071C2000-memory.dmp

Filesize
584KB

Download
memory/5060-155-0x0000000007100000-0x000000000710A000-memory.dmp

Filesize
40KB

Download
memory/5060-156-0x0000000007360000-0x00000000073B0000-memory.dmp

Filesize
320KB

Download
memory/5060-157-0x0000000007620000-0x00000000077E2000-memory.dmp

Filesize
1.8MB

Download
memory/5060-164-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/5060-165-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/5060-166-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download
memory/5060-167-0x0000000003320000-0x0000000003330000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads