agenttesla | faf2715b604f9fb6f5774483b2e719220b8dab2d3ac3ced882b991c0220f5a04

General

Target

faf2715b604f9fb6f5774483b2e719220b8dab2d3ac3ced882b991c0220f5a04.exe
Size

323KB
MD5

282da519a6b85649d64ec53f9943d4b1
SHA1

18b1001d2caf463778507fc16ef290bc5bc04620
SHA256

faf2715b604f9fb6f5774483b2e719220b8dab2d3ac3ced882b991c0220f5a04
SHA512

c85533c0eba8e369c60a948553e1dd29d7fdd1e7149ea040c3feedaae260bbe9e4f64c144d34b8fd176b7de5eae7597f6c7c2e80871fc28197da992a5341aaa5
SSDEEP

6144:/Ya635XwYp7ZepeoEI9AYoaITHp1PDA5qFxKnvRM7hcX5H:/Yl5XwYpcgojrgbLA5sxKn5Msh

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
3564	xwxglxhmw.exe
552	xwxglxhmw.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xwxglxhmw.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xwxglxhmw.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xwxglxhmw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3564 set thread context of 552	3564	xwxglxhmw.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
552	xwxglxhmw.exe
552	xwxglxhmw.exe
552	xwxglxhmw.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3564	xwxglxhmw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	552	xwxglxhmw.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 3564	3404	faf2715b604f9fb6f5774483b2e719220b8dab2d3ac3ced882b991c0220f5a04.exe	85
PID 3404 wrote to memory of 3564	3404	faf2715b604f9fb6f5774483b2e719220b8dab2d3ac3ced882b991c0220f5a04.exe	85
PID 3404 wrote to memory of 3564	3404	faf2715b604f9fb6f5774483b2e719220b8dab2d3ac3ced882b991c0220f5a04.exe	85
PID 3564 wrote to memory of 552	3564	xwxglxhmw.exe	86
PID 3564 wrote to memory of 552	3564	xwxglxhmw.exe	86
PID 3564 wrote to memory of 552	3564	xwxglxhmw.exe	86
PID 3564 wrote to memory of 552	3564	xwxglxhmw.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xwxglxhmw.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	xwxglxhmw.exe

C:\Users\Admin\AppData\Local\Temp\faf2715b604f9fb6f5774483b2e719220b8dab2d3ac3ced882b991c0220f5a04.exe
"C:\Users\Admin\AppData\Local\Temp\faf2715b604f9fb6f5774483b2e719220b8dab2d3ac3ced882b991c0220f5a04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\xwxglxhmw.exe
  "C:\Users\Admin\AppData\Local\Temp\xwxglxhmw.exe" C:\Users\Admin\AppData\Local\Temp\biwaela.t
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\xwxglxhmw.exe
    "C:\Users\Admin\AppData\Local\Temp\xwxglxhmw.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\biwaela.t

Filesize
5KB

MD5
c8ca0d917a2da7fa753243ee9345ab9e

SHA1
888730566e3fa4caf7fa6fae9153294fb1eddb7f

SHA256
10ad588e534fbf964779eed500e70e4856ff40dff9e8811c2a0a6e1a0008c67f

SHA512
3c664f5bf5eec0b6eab6dedaaccf14c2892ec06c6d6a0e4e87a0b8eab4fcda5851919f9b8573c9bc52efa88fbf5d768d282d9cbd71cc35c828255ecbe11cf2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddgoh.iv

Filesize
315KB

MD5
53d3a481a70c42f455b23fcb7d51edcc

SHA1
882037b2b938594cbe96da4df39e7dc356d31fe9

SHA256
9352e56683bb7f269af3fbbf94d0983ddfa4f86ded203f8ad085a81ecaa765d7

SHA512
b1c04646ce1d9f9ddd50a41a6649e40ddbe89983561d1ba59a529723bed3c421e5a7a90a09a1bc3d5d87717c601a8ba1792224d16b3a27bc22b9636e3e75ab2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwxglxhmw.exe

Filesize
59KB

MD5
11422760805e71534c36b3daf844b029

SHA1
6a3292d5599cd474e900a5c182665774699b742c

SHA256
356e7a175d906299eae3c8d5061d5f0602e2d34535bc1b81a5b514ac54129258

SHA512
0a0d6b0a8634fe3b632a03b7d6d6d4305c40962554adcf333224b88644e771cb8e57a86842e07a4af235974809087fab24325d3f950d4475018eb97a20d9036a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwxglxhmw.exe

Filesize
59KB

MD5
11422760805e71534c36b3daf844b029

SHA1
6a3292d5599cd474e900a5c182665774699b742c

SHA256
356e7a175d906299eae3c8d5061d5f0602e2d34535bc1b81a5b514ac54129258

SHA512
0a0d6b0a8634fe3b632a03b7d6d6d4305c40962554adcf333224b88644e771cb8e57a86842e07a4af235974809087fab24325d3f950d4475018eb97a20d9036a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xwxglxhmw.exe

Filesize
59KB

MD5
11422760805e71534c36b3daf844b029

SHA1
6a3292d5599cd474e900a5c182665774699b742c

SHA256
356e7a175d906299eae3c8d5061d5f0602e2d34535bc1b81a5b514ac54129258

SHA512
0a0d6b0a8634fe3b632a03b7d6d6d4305c40962554adcf333224b88644e771cb8e57a86842e07a4af235974809087fab24325d3f950d4475018eb97a20d9036a

Download Submit
memory/552-148-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/552-152-0x0000000006440000-0x00000000064A6000-memory.dmp

Filesize
408KB

Download
memory/552-144-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/552-146-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/552-147-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/552-141-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/552-149-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/552-150-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/552-151-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/552-143-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/552-153-0x0000000006630000-0x0000000006680000-memory.dmp

Filesize
320KB

Download
memory/552-154-0x0000000006790000-0x0000000006822000-memory.dmp

Filesize
584KB

Download
memory/552-155-0x0000000006AB0000-0x0000000006ABA000-memory.dmp

Filesize
40KB

Download
memory/552-156-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/552-157-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/552-158-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/552-159-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing