agenttesla | 997bd2e38191c4def9366906e95ffbea6a793dc4806dcbf798157e51531cbf31

General

Target

3bb96601470f69bd7c315ab08e5d4c90.exe
Size

983KB
MD5

3bb96601470f69bd7c315ab08e5d4c90
SHA1

ed08f1e0b5db032a514cc57ecd0c57b5dd8a6fb9
SHA256

997bd2e38191c4def9366906e95ffbea6a793dc4806dcbf798157e51531cbf31
SHA512

16988982e968a6a8c909e9ec4d9ae32bb940e9d37a68a1b96d210e19b80f5c29ed0aa3278b7333eaba0ec93e3254bb657dbd891621a81f83dd291ba8a72a7fc7
SSDEEP

24576:I5FLaVUH999IWxYJkkWM/0SRi7fTI6oQU:4JBH9IWxMfRin6QU

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5369838257:AAH0QHFHfBRqr9bqyjTzsODOcSzKccuPJhg/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3bb96601470f69bd7c315ab08e5d4c90.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3bb96601470f69bd7c315ab08e5d4c90.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3bb96601470f69bd7c315ab08e5d4c90.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 824 set thread context of 928	824	3bb96601470f69bd7c315ab08e5d4c90.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
824	3bb96601470f69bd7c315ab08e5d4c90.exe
824	3bb96601470f69bd7c315ab08e5d4c90.exe
928	3bb96601470f69bd7c315ab08e5d4c90.exe
928	3bb96601470f69bd7c315ab08e5d4c90.exe
648	powershell.exe
668	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	3bb96601470f69bd7c315ab08e5d4c90.exe
Token: SeDebugPrivilege	928	3bb96601470f69bd7c315ab08e5d4c90.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
928	3bb96601470f69bd7c315ab08e5d4c90.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 668	824	3bb96601470f69bd7c315ab08e5d4c90.exe	28
PID 824 wrote to memory of 668	824	3bb96601470f69bd7c315ab08e5d4c90.exe	28
PID 824 wrote to memory of 668	824	3bb96601470f69bd7c315ab08e5d4c90.exe	28
PID 824 wrote to memory of 668	824	3bb96601470f69bd7c315ab08e5d4c90.exe	28
PID 824 wrote to memory of 648	824	3bb96601470f69bd7c315ab08e5d4c90.exe	30
PID 824 wrote to memory of 648	824	3bb96601470f69bd7c315ab08e5d4c90.exe	30
PID 824 wrote to memory of 648	824	3bb96601470f69bd7c315ab08e5d4c90.exe	30
PID 824 wrote to memory of 648	824	3bb96601470f69bd7c315ab08e5d4c90.exe	30
PID 824 wrote to memory of 1984	824	3bb96601470f69bd7c315ab08e5d4c90.exe	31
PID 824 wrote to memory of 1984	824	3bb96601470f69bd7c315ab08e5d4c90.exe	31
PID 824 wrote to memory of 1984	824	3bb96601470f69bd7c315ab08e5d4c90.exe	31
PID 824 wrote to memory of 1984	824	3bb96601470f69bd7c315ab08e5d4c90.exe	31
PID 824 wrote to memory of 884	824	3bb96601470f69bd7c315ab08e5d4c90.exe	34
PID 824 wrote to memory of 884	824	3bb96601470f69bd7c315ab08e5d4c90.exe	34
PID 824 wrote to memory of 884	824	3bb96601470f69bd7c315ab08e5d4c90.exe	34
PID 824 wrote to memory of 884	824	3bb96601470f69bd7c315ab08e5d4c90.exe	34
PID 824 wrote to memory of 928	824	3bb96601470f69bd7c315ab08e5d4c90.exe	35
PID 824 wrote to memory of 928	824	3bb96601470f69bd7c315ab08e5d4c90.exe	35
PID 824 wrote to memory of 928	824	3bb96601470f69bd7c315ab08e5d4c90.exe	35
PID 824 wrote to memory of 928	824	3bb96601470f69bd7c315ab08e5d4c90.exe	35
PID 824 wrote to memory of 928	824	3bb96601470f69bd7c315ab08e5d4c90.exe	35
PID 824 wrote to memory of 928	824	3bb96601470f69bd7c315ab08e5d4c90.exe	35
PID 824 wrote to memory of 928	824	3bb96601470f69bd7c315ab08e5d4c90.exe	35
PID 824 wrote to memory of 928	824	3bb96601470f69bd7c315ab08e5d4c90.exe	35
PID 824 wrote to memory of 928	824	3bb96601470f69bd7c315ab08e5d4c90.exe	35

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3bb96601470f69bd7c315ab08e5d4c90.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3bb96601470f69bd7c315ab08e5d4c90.exe

C:\Users\Admin\AppData\Local\Temp\3bb96601470f69bd7c315ab08e5d4c90.exe
"C:\Users\Admin\AppData\Local\Temp\3bb96601470f69bd7c315ab08e5d4c90.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3bb96601470f69bd7c315ab08e5d4c90.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eJLwkd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eJLwkd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE496.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\3bb96601470f69bd7c315ab08e5d4c90.exe
  "C:\Users\Admin\AppData\Local\Temp\3bb96601470f69bd7c315ab08e5d4c90.exe"
  2⤵
  PID:884
- C:\Users\Admin\AppData\Local\Temp\3bb96601470f69bd7c315ab08e5d4c90.exe
  "C:\Users\Admin\AppData\Local\Temp\3bb96601470f69bd7c315ab08e5d4c90.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE496.tmp

Filesize
1KB

MD5
6fa413bdd693a5501b64bdd59b246c8b

SHA1
e3132a632dc84221f3530a02bad43487db397678

SHA256
2f06cc130d33874b3b87fb6055af6ef0c905d1c8e30851371a8631c3f23d285c

SHA512
65c06934de1e10703d9716d69d070aad84e4c525077f4cd80cf5612666f970fa637d0084f76414a1a3cf55f66a0c2b372c92f67486a1c0adea0a98b7cda01adb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H42VD61HJ4518XZKOYO2.temp

Filesize
7KB

MD5
24abf160150b56e10a0ec78bf9defa8e

SHA1
8d345c66b49669b20d1b223964b49b849cb363af

SHA256
7e771901044e906b0cf424f54a5046d2df929d1da5c2184a09bb59f8db150533

SHA512
4b5431d24ffb7f005a2ba3ff1386b1f69bff958ac8015266613ef30335adb6ae0b4e8527b71360f675b2abce5f99c9d5595415368815c454691ca92a424eedfd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
24abf160150b56e10a0ec78bf9defa8e

SHA1
8d345c66b49669b20d1b223964b49b849cb363af

SHA256
7e771901044e906b0cf424f54a5046d2df929d1da5c2184a09bb59f8db150533

SHA512
4b5431d24ffb7f005a2ba3ff1386b1f69bff958ac8015266613ef30335adb6ae0b4e8527b71360f675b2abce5f99c9d5595415368815c454691ca92a424eedfd

Download Submit
memory/648-83-0x0000000002360000-0x00000000023A0000-memory.dmp

Filesize
256KB

Download
memory/668-84-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/668-85-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/824-57-0x0000000004240000-0x0000000004280000-memory.dmp

Filesize
256KB

Download
memory/824-59-0x0000000007310000-0x0000000007386000-memory.dmp

Filesize
472KB

Download
memory/824-58-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/824-72-0x0000000004120000-0x000000000415E000-memory.dmp

Filesize
248KB

Download
memory/824-54-0x0000000000180000-0x000000000027C000-memory.dmp

Filesize
1008KB

Download
memory/824-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/824-55-0x0000000004240000-0x0000000004280000-memory.dmp

Filesize
256KB

Download
memory/928-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/928-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/928-78-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/928-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/928-82-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/928-76-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/928-75-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/928-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/928-89-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads