agenttesla | 7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62

General

Target

7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
Size

962KB
MD5

3217930a87bf8b38ba8d474862548853
SHA1

3ffc1d60ad13db9a291f03b0f8ff35c0281e7d5d
SHA256

7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62
SHA512

295b41f2035888446230a29f214cdfcc78d93eab3f1720387997b16630bda3698b4f3dabd31b4cbf79dc2d319d8cfb59b442ec2c72c74afec1e3b6143a91112f
SSDEEP

24576:R7Q12srPK7afcfX/9e4+l2gNG82VDkB0+9ud:R+Iafcle4U2gNGnYB0z

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5641589629:AAE7PbYkX7JPIEd1r5HHvkG2FiDsJ1HpC0c/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
8 api.ipify.org

flow	ioc
7	api.ipify.org
8	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe

description	pid	process	target process
PID 3272 set thread context of 2484	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3244 schtasks.exe

pid	process
3244	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exepowershell.exe

pid	process
3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
4916	powershell.exe
4916	powershell.exe
4916	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
Token: SeDebugPrivilege	2484	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
Token: SeDebugPrivilege	4916	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe

description	pid	process	target process
PID 3272 wrote to memory of 4916	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	powershell.exe
PID 3272 wrote to memory of 4916	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	powershell.exe
PID 3272 wrote to memory of 4916	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	powershell.exe
PID 3272 wrote to memory of 3244	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	schtasks.exe
PID 3272 wrote to memory of 3244	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	schtasks.exe
PID 3272 wrote to memory of 3244	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	schtasks.exe
PID 3272 wrote to memory of 2484	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
PID 3272 wrote to memory of 2484	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
PID 3272 wrote to memory of 2484	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
PID 3272 wrote to memory of 2484	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
PID 3272 wrote to memory of 2484	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
PID 3272 wrote to memory of 2484	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
PID 3272 wrote to memory of 2484	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
PID 3272 wrote to memory of 2484	3272	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe

outlook_office_path 1 IoCs

Processes:

7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe

outlook_win_path 1 IoCs

Processes:

7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe

C:\Users\Admin\AppData\Local\Temp\7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
"C:\Users\Admin\AppData\Local\Temp\7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rpYsHtG.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rpYsHtG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp85D9.tmp"
2⤵
- Creates scheduled task(s)
PID:3244

C:\Users\Admin\AppData\Local\Temp\7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe
"C:\Users\Admin\AppData\Local\Temp\7170058dac6c9006c7fd6273b4a824277cbac873f61c117b22279ce0cd425b62.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_02ileetw.ifl.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85D9.tmp
Filesize
1KB

MD5
6e3d339e8a7ba4ec35cb171ccdcf80bd

SHA1
8b3be222391e1a57383fcc9803d81d82e1f7133c

SHA256
b082421c2896bcb91dc25ad135adc610c4c3f7ed35d371a19f8e08c8bcbd7a10

SHA512
12389ebf5cf44e712bff27e1ff7229f6f229c0156ba63868d261412e0ee3286bc3381aaeb94d636bfef9496af466ffbac16eda0b715e9db09152e8d22b9e1c7f

Download Submit
memory/2484-150-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/2484-146-0x00000000050F0000-0x0000000005156000-memory.dmp

Filesize
408KB

Download
memory/2484-143-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2484-248-0x00000000069A0000-0x00000000069F0000-memory.dmp

Filesize
320KB

Download
memory/2484-249-0x0000000006CA0000-0x0000000006E62000-memory.dmp

Filesize
1.8MB

Download
memory/2484-403-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3272-131-0x0000000005720000-0x00000000057BC000-memory.dmp

Filesize
624KB

Download
memory/3272-130-0x00000000055E0000-0x0000000005662000-memory.dmp

Filesize
520KB

Download
memory/3272-121-0x0000000000840000-0x0000000000936000-memory.dmp

Filesize
984KB

Download
memory/3272-129-0x0000000002B70000-0x0000000002B7C000-memory.dmp

Filesize
48KB

Download
memory/3272-128-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download
memory/3272-127-0x0000000002A80000-0x0000000002A92000-memory.dmp

Filesize
72KB

Download
memory/3272-126-0x0000000007920000-0x0000000007930000-memory.dmp

Filesize
64KB

Download
memory/3272-142-0x0000000006AD0000-0x0000000006B1A000-memory.dmp

Filesize
296KB

Download
memory/3272-125-0x0000000007680000-0x000000000768A000-memory.dmp

Filesize
40KB

Download
memory/3272-124-0x0000000007FB0000-0x0000000008300000-memory.dmp

Filesize
3.3MB

Download
memory/3272-123-0x0000000007690000-0x0000000007722000-memory.dmp

Filesize
584KB

Download
memory/3272-122-0x0000000007AB0000-0x0000000007FAE000-memory.dmp

Filesize
5.0MB

Download
memory/4916-148-0x0000000006DE0000-0x0000000006E46000-memory.dmp

Filesize
408KB

Download
memory/4916-149-0x0000000007590000-0x00000000078E0000-memory.dmp

Filesize
3.3MB

Download
memory/4916-147-0x0000000006C60000-0x0000000006C82000-memory.dmp

Filesize
136KB

Download
memory/4916-151-0x0000000007900000-0x000000000791C000-memory.dmp

Filesize
112KB

Download
memory/4916-152-0x0000000007F30000-0x0000000007F7B000-memory.dmp

Filesize
300KB

Download
memory/4916-153-0x0000000007D00000-0x0000000007D76000-memory.dmp

Filesize
472KB

Download
memory/4916-144-0x0000000006E60000-0x0000000007488000-memory.dmp

Filesize
6.2MB

Download
memory/4916-170-0x0000000008BC0000-0x0000000008BF3000-memory.dmp

Filesize
204KB

Download
memory/4916-171-0x0000000008BA0000-0x0000000008BBE000-memory.dmp

Filesize
120KB

Download
memory/4916-172-0x000000007F120000-0x000000007F130000-memory.dmp

Filesize
64KB

Download
memory/4916-177-0x0000000008D00000-0x0000000008DA5000-memory.dmp

Filesize
660KB

Download
memory/4916-178-0x00000000090D0000-0x0000000009164000-memory.dmp

Filesize
592KB

Download
memory/4916-179-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/4916-141-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/4916-140-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/4916-380-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

Filesize
104KB

Download
memory/4916-385-0x0000000007EE0000-0x0000000007EE8000-memory.dmp

Filesize
32KB

Download
memory/4916-394-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/4916-395-0x0000000006820000-0x0000000006830000-memory.dmp

Filesize
64KB

Download
memory/4916-139-0x00000000041E0000-0x0000000004216000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads