agenttesla | c55f567dcb05208ea1fa8c6647ffc90d6ad7987faff6a2738aeecfdcd57b7ed5

General

Target

SecuriteInfo.com.Win32.PWSX-gen.3181.exe
Size

616KB
MD5

52795be8ff4d8abba1a21c8fee4250ca
SHA1

9b5e2f9f31160889fecd78a7a97fba4638f17760
SHA256

c55f567dcb05208ea1fa8c6647ffc90d6ad7987faff6a2738aeecfdcd57b7ed5
SHA512

4994ffb547c91d2333d9559cf5e7e5b2dd41d3103bffa5872cc0725db41a72e99992a2a0f681fa47382d8d226c41efa2d7e4ce0d522b850bbfdcf5443bc1d969
SSDEEP

12288:52dLziss3ngxFipSYz4we4LI8dUTJyPhsvjE5bbd3hF91z:8LkwxU0Yz4CLI8dUT8PhsLKbd3hFT

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6033005603:AAFnN3UWkxnurt9KjO1qxD4NTlJRB3IwKuk/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Win32.PWSX-gen.3181.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Win32.PWSX-gen.3181.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Win32.PWSX-gen.3181.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 924 set thread context of 900	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1472	powershell.exe
1680	powershell.exe
900	SecuriteInfo.com.Win32.PWSX-gen.3181.exe
900	SecuriteInfo.com.Win32.PWSX-gen.3181.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	SecuriteInfo.com.Win32.PWSX-gen.3181.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 1680	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	28
PID 924 wrote to memory of 1680	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	28
PID 924 wrote to memory of 1680	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	28
PID 924 wrote to memory of 1680	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	28
PID 924 wrote to memory of 1472	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	30
PID 924 wrote to memory of 1472	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	30
PID 924 wrote to memory of 1472	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	30
PID 924 wrote to memory of 1472	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	30
PID 924 wrote to memory of 1760	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	33
PID 924 wrote to memory of 1760	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	33
PID 924 wrote to memory of 1760	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	33
PID 924 wrote to memory of 1760	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	33
PID 924 wrote to memory of 900	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	34
PID 924 wrote to memory of 900	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	34
PID 924 wrote to memory of 900	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	34
PID 924 wrote to memory of 900	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	34
PID 924 wrote to memory of 900	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	34
PID 924 wrote to memory of 900	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	34
PID 924 wrote to memory of 900	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	34
PID 924 wrote to memory of 900	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	34
PID 924 wrote to memory of 900	924	SecuriteInfo.com.Win32.PWSX-gen.3181.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Win32.PWSX-gen.3181.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.Win32.PWSX-gen.3181.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.3181.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.3181.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.3181.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ffrhImHJalUK.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ffrhImHJalUK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAEC7.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.3181.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.3181.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAEC7.tmp

Filesize
1KB

MD5
7c44238ee2b91b5e08118e82ac3965e3

SHA1
8c2ea0b5d4c87ddbc07d3ac8592788f49c28e4f9

SHA256
b7b191971cd5aaa949b9e8e2fefe7f1c8524b9940b97caf9b81d3ccff840d680

SHA512
6cf3dcaa85c6698cb56ee65dd71da8e71ae51804b680f977be3e3a9f088cc79cd064568375bb853ad3ec25f51732a795d598efed4b69959baf89630744ec7059

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YQTXWO33OPOCA22PCCB6.temp

Filesize
7KB

MD5
794b3e2b1cf56d2e7e58f9f003ed04ec

SHA1
4ca5beb3436544615523721f9e90eb0f24334c6a

SHA256
75fe26bc82b99e004d4c9302d34a9c51dd607e0560e04253e7293d373d6f2e3a

SHA512
52993424ec080ff689bce74e8e3c9130e0ed5985e5e5364f74aeefa4b966c7cf6b18ac9ab4be18d0a681310bb018c3499c1ed21f65f77d949f1cc27f00f7982a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
794b3e2b1cf56d2e7e58f9f003ed04ec

SHA1
4ca5beb3436544615523721f9e90eb0f24334c6a

SHA256
75fe26bc82b99e004d4c9302d34a9c51dd607e0560e04253e7293d373d6f2e3a

SHA512
52993424ec080ff689bce74e8e3c9130e0ed5985e5e5364f74aeefa4b966c7cf6b18ac9ab4be18d0a681310bb018c3499c1ed21f65f77d949f1cc27f00f7982a

Download Submit
memory/900-78-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/900-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/900-82-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/900-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/900-76-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/900-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/900-74-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/900-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/924-72-0x0000000004E30000-0x0000000004E62000-memory.dmp

Filesize
200KB

Download
memory/924-55-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/924-56-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/924-57-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/924-54-0x00000000002C0000-0x0000000000360000-memory.dmp

Filesize
640KB

Download
memory/924-58-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/924-59-0x0000000004E70000-0x0000000004EDA000-memory.dmp

Filesize
424KB

Download
memory/1680-83-0x0000000002240000-0x0000000002280000-memory.dmp

Filesize
256KB

Download
memory/1680-84-0x0000000002240000-0x0000000002280000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads