agenttesla | 34345f68afe6a10cb29415ba265f68f1a5d61c3a79a01e54be6c43e16aa0ce73

General

Target

tmp.exe
Size

349KB
MD5

a654157ddac012ade8be11d6b45a5dfb
SHA1

3aadefbff659c039584cfaa97db81ba306cba393
SHA256

34345f68afe6a10cb29415ba265f68f1a5d61c3a79a01e54be6c43e16aa0ce73
SHA512

61898d8256f5392f070266e9c5dc5ec1b036d4f98100a433c67e93ba82da19d9217ee5ab8e8eb8f5b1bd8db659337f1541e921678776540ee0551dc37448ece0
SSDEEP

6144:wYa6CBpOx4SUugmdy95/d5e3iHBiGWkUdUnvJP9pGni90V:wY4Sx4SUfh/3eyHBIZ+pOi9o

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 3 IoCs

pid	Process
2012	xskrcvnj.exe
3952	xskrcvnj.exe
4196	xskrcvnj.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xskrcvnj.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xskrcvnj.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xskrcvnj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gcWPrHZ = "C:\\Users\\Admin\\AppData\\Roaming\\gcWPrHZ\\gcWPrHZ.exe"	xskrcvnj.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2012 set thread context of 4196	2012	xskrcvnj.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2012	xskrcvnj.exe
2012	xskrcvnj.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4196	xskrcvnj.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 2012	4120	tmp.exe	82
PID 4120 wrote to memory of 2012	4120	tmp.exe	82
PID 4120 wrote to memory of 2012	4120	tmp.exe	82
PID 2012 wrote to memory of 3952	2012	xskrcvnj.exe	83
PID 2012 wrote to memory of 3952	2012	xskrcvnj.exe	83
PID 2012 wrote to memory of 3952	2012	xskrcvnj.exe	83
PID 2012 wrote to memory of 4196	2012	xskrcvnj.exe	84
PID 2012 wrote to memory of 4196	2012	xskrcvnj.exe	84
PID 2012 wrote to memory of 4196	2012	xskrcvnj.exe	84
PID 2012 wrote to memory of 4196	2012	xskrcvnj.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xskrcvnj.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xskrcvnj.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Users\Admin\AppData\Local\Temp\xskrcvnj.exe
  "C:\Users\Admin\AppData\Local\Temp\xskrcvnj.exe" C:\Users\Admin\AppData\Local\Temp\faotpt.n
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\xskrcvnj.exe
    "C:\Users\Admin\AppData\Local\Temp\xskrcvnj.exe"
    3⤵
    - Executes dropped EXE
    PID:3952
- - C:\Users\Admin\AppData\Local\Temp\xskrcvnj.exe
    "C:\Users\Admin\AppData\Local\Temp\xskrcvnj.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:4196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eevor.qta

Filesize
263KB

MD5
7961101faf83081e3dc1e08e262484aa

SHA1
73471b1d4529a83b15c19e63571ecbfdf13f4b1c

SHA256
86fde7912904d24328962afcffc171e0ebc8e12b951f63d472b2c6ab04bc0ecc

SHA512
9977439bbbcb6520a6028323ebe821e7f7c4f419330738f9b41d4354747f2b20b67875b2a6d2b8be19d6d12825b6785d230af760be740dd3a0c6317299d7833d

Download Submit
C:\Users\Admin\AppData\Local\Temp\faotpt.n

Filesize
5KB

MD5
f20040cdf1cac6488f77801df389a49e

SHA1
68b53a3755ed2b5bc848eb6bd19ffa27d41e02de

SHA256
5e4fabd993ef37b84a2e1b18136b3606f814ae0fa4d3e64046b9fe57e5883eb1

SHA512
db1b3415db8da6680f1313b5c9bea9594ddd62cd69aa37291276a1eb57669e6549a69a457a5126895a90b9c739c288cc60c73f8bb155157d0b5907a413b89bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\xskrcvnj.exe

Filesize
107KB

MD5
eff0c066513cbdad131a8557d3571c95

SHA1
3f57f7803c058e6ac66415ba5f5d2f82c69eb385

SHA256
35febffbded8d232cb77053522ccf38ba332b758f081b5e46dc467f416df4ba5

SHA512
c094155473eb534a1b65ded294d3686d0291be2e6ef6dcf90d98be545805d00c8d269c9f47cdb45c7689d59d34d2502c1957405e0c18d795ccd11ff0705f4192

Download Submit
C:\Users\Admin\AppData\Local\Temp\xskrcvnj.exe

Filesize
107KB

MD5
eff0c066513cbdad131a8557d3571c95

SHA1
3f57f7803c058e6ac66415ba5f5d2f82c69eb385

SHA256
35febffbded8d232cb77053522ccf38ba332b758f081b5e46dc467f416df4ba5

SHA512
c094155473eb534a1b65ded294d3686d0291be2e6ef6dcf90d98be545805d00c8d269c9f47cdb45c7689d59d34d2502c1957405e0c18d795ccd11ff0705f4192

Download Submit
C:\Users\Admin\AppData\Local\Temp\xskrcvnj.exe

Filesize
107KB

MD5
eff0c066513cbdad131a8557d3571c95

SHA1
3f57f7803c058e6ac66415ba5f5d2f82c69eb385

SHA256
35febffbded8d232cb77053522ccf38ba332b758f081b5e46dc467f416df4ba5

SHA512
c094155473eb534a1b65ded294d3686d0291be2e6ef6dcf90d98be545805d00c8d269c9f47cdb45c7689d59d34d2502c1957405e0c18d795ccd11ff0705f4192

Download Submit
C:\Users\Admin\AppData\Local\Temp\xskrcvnj.exe

Filesize
107KB

MD5
eff0c066513cbdad131a8557d3571c95

SHA1
3f57f7803c058e6ac66415ba5f5d2f82c69eb385

SHA256
35febffbded8d232cb77053522ccf38ba332b758f081b5e46dc467f416df4ba5

SHA512
c094155473eb534a1b65ded294d3686d0291be2e6ef6dcf90d98be545805d00c8d269c9f47cdb45c7689d59d34d2502c1957405e0c18d795ccd11ff0705f4192

Download Submit
memory/2012-145-0x0000000001120000-0x0000000001122000-memory.dmp

Filesize
8KB

Download
memory/4196-150-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/4196-154-0x0000000006290000-0x0000000006322000-memory.dmp

Filesize
584KB

Download
memory/4196-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-149-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/4196-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-151-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/4196-152-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/4196-153-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/4196-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-155-0x0000000005FA0000-0x0000000005FAA000-memory.dmp

Filesize
40KB

Download
memory/4196-156-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/4196-157-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/4196-158-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download
memory/4196-159-0x0000000006380000-0x00000000063D0000-memory.dmp

Filesize
320KB

Download
memory/4196-160-0x00000000066D0000-0x0000000006892000-memory.dmp

Filesize
1.8MB

Download
memory/4196-161-0x00000000053C0000-0x00000000053D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing