agenttesla | ff93a2e2fc9a3ff0bfe4ae5b9bef84478972cc403c1c68ce1de414e19acfa6ea

General

Target

contract copy.exe
Size

644KB
MD5

a7ad0ba62dd43be3bde3182daee37242
SHA1

2d020705a207956277362c288631aefce048fa20
SHA256

ff93a2e2fc9a3ff0bfe4ae5b9bef84478972cc403c1c68ce1de414e19acfa6ea
SHA512

0bfb8385a7621ebcc75aa1af2963ea5f70467177a8190f324a7d2fa6153603d82df03b2556312aded543fba87c6858d0f78a5d3fbe9f945c7693f54615612261
SSDEEP

12288:zL2iNvRDWMdaJT5dQqreSItmis1ZCbTXXCk0pGShnSJ1dxAsS/:v1tRtdaZkkeSIhs1wrykXSMJ1Q

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.quartziax.com
Port:
587
Username:
[email protected]
Password:
bSshyjZ4
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	contract copy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	contract copy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	contract copy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\zRshgsL = "C:\\Users\\Admin\\AppData\\Roaming\\zRshgsL\\zRshgsL.exe"	contract copy.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1412 set thread context of 1360	1412	contract copy.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1412	contract copy.exe
1412	contract copy.exe
1412	contract copy.exe
1412	contract copy.exe
1692	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	contract copy.exe
Token: SeDebugPrivilege	1360	contract copy.exe
Token: SeDebugPrivilege	1692	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1692	1412	contract copy.exe	28
PID 1412 wrote to memory of 1692	1412	contract copy.exe	28
PID 1412 wrote to memory of 1692	1412	contract copy.exe	28
PID 1412 wrote to memory of 1692	1412	contract copy.exe	28
PID 1412 wrote to memory of 1764	1412	contract copy.exe	30
PID 1412 wrote to memory of 1764	1412	contract copy.exe	30
PID 1412 wrote to memory of 1764	1412	contract copy.exe	30
PID 1412 wrote to memory of 1764	1412	contract copy.exe	30
PID 1412 wrote to memory of 872	1412	contract copy.exe	32
PID 1412 wrote to memory of 872	1412	contract copy.exe	32
PID 1412 wrote to memory of 872	1412	contract copy.exe	32
PID 1412 wrote to memory of 872	1412	contract copy.exe	32
PID 1412 wrote to memory of 1360	1412	contract copy.exe	33
PID 1412 wrote to memory of 1360	1412	contract copy.exe	33
PID 1412 wrote to memory of 1360	1412	contract copy.exe	33
PID 1412 wrote to memory of 1360	1412	contract copy.exe	33
PID 1412 wrote to memory of 1360	1412	contract copy.exe	33
PID 1412 wrote to memory of 1360	1412	contract copy.exe	33
PID 1412 wrote to memory of 1360	1412	contract copy.exe	33
PID 1412 wrote to memory of 1360	1412	contract copy.exe	33
PID 1412 wrote to memory of 1360	1412	contract copy.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	contract copy.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	contract copy.exe

C:\Users\Admin\AppData\Local\Temp\contract copy.exe
"C:\Users\Admin\AppData\Local\Temp\contract copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YkmINle.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YkmINle" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC247.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\contract copy.exe
  "C:\Users\Admin\AppData\Local\Temp\contract copy.exe"
  2⤵
  PID:872
- C:\Users\Admin\AppData\Local\Temp\contract copy.exe
  "C:\Users\Admin\AppData\Local\Temp\contract copy.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC247.tmp

Filesize
1KB

MD5
798613c3a6d174e964a6c1907ce26aa7

SHA1
1dc96f637654e5e3257cf64a91c6c3b85cde29fd

SHA256
7ea6b4ed73e4e5be6e26ffd0dd2ab87c69d23f608209c8d1d417f2e41895dab1

SHA512
91de113eae7e7cae0f73026bd4dabb16adc0ec55aabaef48928dfa5f9f9b75f868457fa209c20612af4e82d8a2b4163442089c07846c7527967434038f56cbda

Download Submit
memory/1360-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1360-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1360-104-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1360-79-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/1360-77-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1360-67-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1360-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1360-66-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1360-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1360-71-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1412-56-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/1412-54-0x0000000001090000-0x0000000001138000-memory.dmp

Filesize
672KB

Download
memory/1412-65-0x0000000004880000-0x00000000048B2000-memory.dmp

Filesize
200KB

Download
memory/1412-55-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/1412-59-0x0000000005230000-0x000000000529A000-memory.dmp

Filesize
424KB

Download
memory/1412-58-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/1412-57-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/1692-78-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads