agenttesla | 44b75803f16adb7768ad6ce2fcb8f56422a665085ac5aaebbce5fc8639bd352c

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/04/2023, 09:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Order PO230325174.exe
Size

304KB
MD5

377a84d2218cb6c710595b066ef37ba7
SHA1

73ab065c6bed38d832c70d72a2fb2c16462f546f
SHA256

44b75803f16adb7768ad6ce2fcb8f56422a665085ac5aaebbce5fc8639bd352c
SHA512

092a0fde188f590c24a8c5fecd2c25069681603c8b7c76912f41e329d93b78b55f9e18caf866775d391187610c9cfbdeaf168819c8bfac203cf7a67ca1f60e98
SSDEEP

6144:/Ya61pD8pgbubbOtq5pJvAON2wjZcdo8EiJm6FISnieIuApf7W:/YXpD8pgbsbZ5/vbNZjZv0TuZuAp6

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
1280	grosyjxewh.exe
1112	grosyjxewh.exe

Loads dropped DLL 2 IoCs

pid	Process
1772	Order PO230325174.exe
1280	grosyjxewh.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	grosyjxewh.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	grosyjxewh.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	grosyjxewh.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgpludyienwsc = "C:\\Users\\Admin\\AppData\\Roaming\\tyirnwgclhqy\\uenjsoxhdmvrb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\grosyjxewh.exe\" C:\\Users\\Admin\\Ap"	grosyjxewh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe"	grosyjxewh.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1280 set thread context of 1112	1280	grosyjxewh.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1280	grosyjxewh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	grosyjxewh.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 1280	1772	Order PO230325174.exe	28
PID 1772 wrote to memory of 1280	1772	Order PO230325174.exe	28
PID 1772 wrote to memory of 1280	1772	Order PO230325174.exe	28
PID 1772 wrote to memory of 1280	1772	Order PO230325174.exe	28
PID 1280 wrote to memory of 1112	1280	grosyjxewh.exe	29
PID 1280 wrote to memory of 1112	1280	grosyjxewh.exe	29
PID 1280 wrote to memory of 1112	1280	grosyjxewh.exe	29
PID 1280 wrote to memory of 1112	1280	grosyjxewh.exe	29
PID 1280 wrote to memory of 1112	1280	grosyjxewh.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	grosyjxewh.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	grosyjxewh.exe

C:\Users\Admin\AppData\Local\Temp\Order PO230325174.exe
"C:\Users\Admin\AppData\Local\Temp\Order PO230325174.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Users\Admin\AppData\Local\Temp\grosyjxewh.exe
  "C:\Users\Admin\AppData\Local\Temp\grosyjxewh.exe" C:\Users\Admin\AppData\Local\Temp\hgkyvhibbv.fjj
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\grosyjxewh.exe
    "C:\Users\Admin\AppData\Local\Temp\grosyjxewh.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\grosyjxewh.exe

Filesize
85KB

MD5
42e10d86bf03320c192042ff9167d3e0

SHA1
e166aef378aff551b9a0480dc968355b2fce57f7

SHA256
a15ed4cbd2f20b2b55b519d2eb2b2e5283e785cb411d24bc8a1071a88ca5dbd5

SHA512
1b181bc65b7d70d3a3aceffc0cd54a3ce57d34f886cc12a752500489d53058a2fbb8f8a5b89a8f70464401d3981259ab94a471fc89cdf8aad25438c928a12270

Download Submit
C:\Users\Admin\AppData\Local\Temp\grosyjxewh.exe

Filesize
85KB

MD5
42e10d86bf03320c192042ff9167d3e0

SHA1
e166aef378aff551b9a0480dc968355b2fce57f7

SHA256
a15ed4cbd2f20b2b55b519d2eb2b2e5283e785cb411d24bc8a1071a88ca5dbd5

SHA512
1b181bc65b7d70d3a3aceffc0cd54a3ce57d34f886cc12a752500489d53058a2fbb8f8a5b89a8f70464401d3981259ab94a471fc89cdf8aad25438c928a12270

Download Submit
C:\Users\Admin\AppData\Local\Temp\grosyjxewh.exe

Filesize
85KB

MD5
42e10d86bf03320c192042ff9167d3e0

SHA1
e166aef378aff551b9a0480dc968355b2fce57f7

SHA256
a15ed4cbd2f20b2b55b519d2eb2b2e5283e785cb411d24bc8a1071a88ca5dbd5

SHA512
1b181bc65b7d70d3a3aceffc0cd54a3ce57d34f886cc12a752500489d53058a2fbb8f8a5b89a8f70464401d3981259ab94a471fc89cdf8aad25438c928a12270

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgkyvhibbv.fjj

Filesize
7KB

MD5
16d7dbb15cd1237bc467cdb34b97a52a

SHA1
2464b9b269eb11b98ace55911bf44b3dc9379dbb

SHA256
40b9af2e5802bfee51dfdc7e17c7f4e1ef28a26e9f858d586ff4c075f9ce627e

SHA512
bb54ce93122821f573c406951f142757e672021287be57a0683242d6225d70d44340dc4cea3bc5d6214eeaa082c117ba8a5e0180e157ce94e169aba726b77130

Download Submit
C:\Users\Admin\AppData\Local\Temp\nmwyjmcbu.m

Filesize
263KB

MD5
497f69e0122f1ed3140b547d82ea02b4

SHA1
3dd72dbccb7386ce44af202926664dfcb1a35a84

SHA256
8aa54e9713003cfb26ba922e2d42f5944efd9b3a37276a69e7662bcbacfe7519

SHA512
5d5504f832651b4abb228ca0a402df02bd8d2cb18f17e08c96487f462a693ad08b6fadf50a7b496608c824e259ee91a4efc4b3b5543073d33a54fd5e9ffa9c07

Download Submit
\Users\Admin\AppData\Local\Temp\grosyjxewh.exe

Filesize
85KB

MD5
42e10d86bf03320c192042ff9167d3e0

SHA1
e166aef378aff551b9a0480dc968355b2fce57f7

SHA256
a15ed4cbd2f20b2b55b519d2eb2b2e5283e785cb411d24bc8a1071a88ca5dbd5

SHA512
1b181bc65b7d70d3a3aceffc0cd54a3ce57d34f886cc12a752500489d53058a2fbb8f8a5b89a8f70464401d3981259ab94a471fc89cdf8aad25438c928a12270

Download Submit
\Users\Admin\AppData\Local\Temp\grosyjxewh.exe

Filesize
85KB

MD5
42e10d86bf03320c192042ff9167d3e0

SHA1
e166aef378aff551b9a0480dc968355b2fce57f7

SHA256
a15ed4cbd2f20b2b55b519d2eb2b2e5283e785cb411d24bc8a1071a88ca5dbd5

SHA512
1b181bc65b7d70d3a3aceffc0cd54a3ce57d34f886cc12a752500489d53058a2fbb8f8a5b89a8f70464401d3981259ab94a471fc89cdf8aad25438c928a12270

Download Submit
memory/1112-70-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-72-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/1112-74-0x0000000000700000-0x0000000000740000-memory.dmp

Filesize
256KB

Download
memory/1112-75-0x0000000000700000-0x0000000000740000-memory.dmp

Filesize
256KB

Download
memory/1112-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-76-0x0000000000700000-0x0000000000740000-memory.dmp

Filesize
256KB

Download
memory/1280-62-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download