agenttesla | c1fea3070e2c0836fee930ce393a597e18a4c383a4ba007700d638f6a956da2c

General

Target

rNewPOSPL036570_pdf.exe
Size

322KB
MD5

7105b90fb38cbfb87c81324292b69102
SHA1

9b6347e063466a4cb98745a12322597dbb3fc089
SHA256

c1fea3070e2c0836fee930ce393a597e18a4c383a4ba007700d638f6a956da2c
SHA512

265e741b66c863ed3bb5e7c372942e1da81ffd40dce50a0f7f9e51b064b748bf77b1f64cf29f78213d180fc8f78477d1e079e7b22d7c3f723074cd173987f1a9
SSDEEP

6144:/Ya6rJVwps42oP2koYyBKxcUu+oR7KavJ33iyKg/fJC8mD7sKdLthJXYeVpdA8zi:/YBspseXZXxcvUaRnIGfJ0zphJI

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
ubduipymcemperot

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

moyiaku.exemoyiaku.exe

pid process

3912 moyiaku.exe
4788 moyiaku.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3912	moyiaku.exe
4788	moyiaku.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

moyiaku.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	moyiaku.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	moyiaku.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	moyiaku.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

moyiaku.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Avfbktpyienjsc = "C:\\Users\\Admin\\AppData\\Roaming\\bgpl\\Ajfh clhqa.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\moyiaku.exe\" C:\\Users\\Admin\\AppData\\Local\\Te"	moyiaku.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 api.ipify.org
27 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

moyiaku.exe

description pid process target process

PID 3912 set thread context of 4788 3912 moyiaku.exe moyiaku.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

moyiaku.exe

pid process

3912 moyiaku.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

moyiaku.exe

description pid process

Token: SeDebugPrivilege 4788 moyiaku.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

moyiaku.exe

pid process

4788 moyiaku.exe

flow	ioc
26	api.ipify.org
27	api.ipify.org

description	pid	process	target process
PID 3912 set thread context of 4788	3912	moyiaku.exe	moyiaku.exe

pid	process
3912	moyiaku.exe

description	pid	process
Token: SeDebugPrivilege	4788	moyiaku.exe

pid	process
4788	moyiaku.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rNewPOSPL036570_pdf.exemoyiaku.exe

description	pid	process	target process
PID 3196 wrote to memory of 3912	3196	rNewPOSPL036570_pdf.exe	moyiaku.exe
PID 3196 wrote to memory of 3912	3196	rNewPOSPL036570_pdf.exe	moyiaku.exe
PID 3196 wrote to memory of 3912	3196	rNewPOSPL036570_pdf.exe	moyiaku.exe
PID 3912 wrote to memory of 4788	3912	moyiaku.exe	moyiaku.exe
PID 3912 wrote to memory of 4788	3912	moyiaku.exe	moyiaku.exe
PID 3912 wrote to memory of 4788	3912	moyiaku.exe	moyiaku.exe
PID 3912 wrote to memory of 4788	3912	moyiaku.exe	moyiaku.exe

outlook_office_path 1 IoCs

Processes:

moyiaku.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	moyiaku.exe

outlook_win_path 1 IoCs

Processes:

moyiaku.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	moyiaku.exe

C:\Users\Admin\AppData\Local\Temp\rNewPOSPL036570_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\rNewPOSPL036570_pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3196

C:\Users\Admin\AppData\Local\Temp\moyiaku.exe
"C:\Users\Admin\AppData\Local\Temp\moyiaku.exe" C:\Users\Admin\AppData\Local\Temp\ucwenc.s
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Local\Temp\moyiaku.exe
"C:\Users\Admin\AppData\Local\Temp\moyiaku.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\moyiaku.exe
Filesize
107KB

MD5
832c91c51492320ea1b00f1e3ebee546

SHA1
78ce4a0b7caac652ae59a9eb9c01854b66fa563b

SHA256
3667d8c60c4953f078cd261e7ee0cc9447d1cc98a4d6977925f2a85bd02af14e

SHA512
0c565226fdd7b1c149edc7a4134ccc03e75514a7322e2db781036f358354a1491b637d8eaafb470a47ed992dfc29c20a2782c357522801ee6e1ae61bcc56bd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\moyiaku.exe
Filesize
107KB

MD5
832c91c51492320ea1b00f1e3ebee546

SHA1
78ce4a0b7caac652ae59a9eb9c01854b66fa563b

SHA256
3667d8c60c4953f078cd261e7ee0cc9447d1cc98a4d6977925f2a85bd02af14e

SHA512
0c565226fdd7b1c149edc7a4134ccc03e75514a7322e2db781036f358354a1491b637d8eaafb470a47ed992dfc29c20a2782c357522801ee6e1ae61bcc56bd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\moyiaku.exe
Filesize
107KB

MD5
832c91c51492320ea1b00f1e3ebee546

SHA1
78ce4a0b7caac652ae59a9eb9c01854b66fa563b

SHA256
3667d8c60c4953f078cd261e7ee0cc9447d1cc98a4d6977925f2a85bd02af14e

SHA512
0c565226fdd7b1c149edc7a4134ccc03e75514a7322e2db781036f358354a1491b637d8eaafb470a47ed992dfc29c20a2782c357522801ee6e1ae61bcc56bd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svczolrb.q
Filesize
266KB

MD5
95e18dc6105d27247c71ba42007993f3

SHA1
f8a60a5a473d7faa21062e9c80bf2bbdf4b5b96f

SHA256
8bcea990b3e0bd4fc408ffc8fdd86ad0f232b9c4a9db8d0fb49e532ae2ce99af

SHA512
266fddecfef6db1f646fb7204855a48d44a4e5b927e38664c36bee1bc53bb4f2a71fa159a4b877c16609d0d71effe7a042f0e99be3e2cafad501e6d07026df5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucwenc.s
Filesize
7KB

MD5
1dbcff0a4e280484e9ff2b94f23b0266

SHA1
647bbba18076c5224bf60a10483adb2c573e775d

SHA256
30d5281dff3de19018c34815894d839914cb4b1d254d08c49fd1aee012789c73

SHA512
ccf6b5c1157954aa97d97bdb21a02589f9b849036f917bf13f04d7f2f8f258e020f1ba0bc0d7153922c5263af335e6902796bb8abc9c39c25915c75e4780b5ae

Download Submit
memory/4788-151-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4788-152-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4788-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4788-147-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/4788-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4788-149-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4788-150-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4788-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4788-153-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/4788-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4788-154-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4788-155-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4788-156-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4788-157-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4788-158-0x0000000006C30000-0x0000000006CC2000-memory.dmp

Filesize
584KB

Download
memory/4788-159-0x0000000006DF0000-0x0000000006DFA000-memory.dmp

Filesize
40KB

Download
memory/4788-160-0x0000000006EC0000-0x0000000006F10000-memory.dmp

Filesize
320KB

Download
memory/4788-161-0x00000000070E0000-0x00000000072A2000-memory.dmp

Filesize
1.8MB

Download
memory/4788-168-0x0000000006FB0000-0x000000000704C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads