agenttesla | 80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d

General

Target

DHL è PRG230411031112.exe
Size

588KB
MD5

a4ac1ef92f6343cdb154e90abd912eff
SHA1

8943ea38f0a7fe68a90e92eca96a81e7ea665c95
SHA256

80d1e76ebf4aa4d65e93a673bc3fc94fc6b36d507f4ca0f63c7863282b5e723d
SHA512

bfff2446fe22be28e0c2e0567a8877267d7f7a5612ddcb53453dcb5a86ac7a02a0c422fd4243f3bac399deac5f42a65325eb86c448f6a013592dc9bad2c46eca
SSDEEP

12288:KOnbqjcd+jUDF2LUlxuxHONzmp6BFBsMo0fCgGUhyhTVJ:KJ8oUdbBpg6BkMo5gc1X

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.namebadgesinternational.com.sg
Port:
587
Username:
[email protected]
Password:
lezio9urpayt
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 1596	1768	DHL è PRG230411031112.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1448	powershell.exe
672	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	MSBuild.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 672	1768	DHL è PRG230411031112.exe	28
PID 1768 wrote to memory of 672	1768	DHL è PRG230411031112.exe	28
PID 1768 wrote to memory of 672	1768	DHL è PRG230411031112.exe	28
PID 1768 wrote to memory of 672	1768	DHL è PRG230411031112.exe	28
PID 1768 wrote to memory of 1448	1768	DHL è PRG230411031112.exe	30
PID 1768 wrote to memory of 1448	1768	DHL è PRG230411031112.exe	30
PID 1768 wrote to memory of 1448	1768	DHL è PRG230411031112.exe	30
PID 1768 wrote to memory of 1448	1768	DHL è PRG230411031112.exe	30
PID 1768 wrote to memory of 1688	1768	DHL è PRG230411031112.exe	31
PID 1768 wrote to memory of 1688	1768	DHL è PRG230411031112.exe	31
PID 1768 wrote to memory of 1688	1768	DHL è PRG230411031112.exe	31
PID 1768 wrote to memory of 1688	1768	DHL è PRG230411031112.exe	31
PID 1768 wrote to memory of 1596	1768	DHL è PRG230411031112.exe	34
PID 1768 wrote to memory of 1596	1768	DHL è PRG230411031112.exe	34
PID 1768 wrote to memory of 1596	1768	DHL è PRG230411031112.exe	34
PID 1768 wrote to memory of 1596	1768	DHL è PRG230411031112.exe	34
PID 1768 wrote to memory of 1596	1768	DHL è PRG230411031112.exe	34
PID 1768 wrote to memory of 1596	1768	DHL è PRG230411031112.exe	34
PID 1768 wrote to memory of 1596	1768	DHL è PRG230411031112.exe	34
PID 1768 wrote to memory of 1596	1768	DHL è PRG230411031112.exe	34
PID 1768 wrote to memory of 1596	1768	DHL è PRG230411031112.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\DHL è PRG230411031112.exe
"C:\Users\Admin\AppData\Local\Temp\DHL è PRG230411031112.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL è PRG230411031112.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uauFLg.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uauFLg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC228.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1688
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC228.tmp

Filesize
1KB

MD5
3cafe1e3d620e26bb24d715b5f25cd6f

SHA1
3a079d273929c5bd6381e96805b7a5ba44a4a953

SHA256
7df42a1fd15c26f9e9b00856412395824f82e95872717b98fcc7a3218958868b

SHA512
d8782be623ecec6ddae07aabac915e85804e430b11e690435678a34bb2c667aa572e49e6f9a3a50ad1ed3be5094954be5dc4f0eccdab60e7d6061aac6b0aa213

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UKL56DXDGK0R860W0WKI.temp

Filesize
7KB

MD5
e8825ac4c6fd56d00bca17b171978004

SHA1
31f48c1508305351f89e9de9335c34b81a47986a

SHA256
c12af995383de229e6f17a73795395ac0d2a3ab3b41295a75d2654f037d5c1f4

SHA512
0b2b8583c64ad9f6c3a56c3270d748d474fe5073471e9a480fcef6a6810554a1a500cf2472fcc86688e0cb002d430d1c6f9c66c0fec8e6028b8c4cc03727d504

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e8825ac4c6fd56d00bca17b171978004

SHA1
31f48c1508305351f89e9de9335c34b81a47986a

SHA256
c12af995383de229e6f17a73795395ac0d2a3ab3b41295a75d2654f037d5c1f4

SHA512
0b2b8583c64ad9f6c3a56c3270d748d474fe5073471e9a480fcef6a6810554a1a500cf2472fcc86688e0cb002d430d1c6f9c66c0fec8e6028b8c4cc03727d504

Download Submit
memory/672-79-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/1448-80-0x00000000023F0000-0x0000000002430000-memory.dmp

Filesize
256KB

Download
memory/1596-78-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1596-77-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1596-85-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/1596-84-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1596-82-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1596-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1596-74-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1596-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1596-76-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1768-72-0x0000000004BC0000-0x0000000004BF2000-memory.dmp

Filesize
200KB

Download
memory/1768-54-0x00000000009B0000-0x0000000000A4A000-memory.dmp

Filesize
616KB

Download
memory/1768-56-0x0000000000500000-0x0000000000514000-memory.dmp

Filesize
80KB

Download
memory/1768-55-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/1768-59-0x0000000005F90000-0x0000000005FFA000-memory.dmp

Filesize
424KB

Download
memory/1768-57-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/1768-58-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads