agenttesla | d30fa0321c74d47ff319db345eaa7bf720a8bdde4a524a0b46f4a21484c75d1a

General

Target

Product Order.exe
Size

776KB
MD5

dc864332ee7a85324d0cda25fac3bf21
SHA1

5be0e586e93b9042f8a72e1c1bb1a5182a4066d3
SHA256

8aead2c3d3796d348dc61029023a5679f2ef747c8ce155a767d5e47280e5ec26
SHA512

f02820ec93fc9f4794e5144986f9defa41a5510c758f43273eb6ad7d0b9ad537ebab5cacc63ea705152eb514572abe345db29406d4a9fabddde6b7cb8ee1e1f1
SSDEEP

24576:KiOV/NOapDl4JebJgUte4/pB18/dBrZNx2JBJ:KiOV/NOapDlpKUM4/po//rZz2JBJ

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6254200827:AAE72ehike93Yl10K-g-eoD9WA3Xk9taVes/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Product Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Product Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Product Order.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 836 set thread context of 300	836	Product Order.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
836	Product Order.exe
836	Product Order.exe
836	Product Order.exe
836	Product Order.exe
676	powershell.exe
300	Product Order.exe
300	Product Order.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	Product Order.exe
Token: SeDebugPrivilege	300	Product Order.exe
Token: SeDebugPrivilege	676	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 676	836	Product Order.exe	28
PID 836 wrote to memory of 676	836	Product Order.exe	28
PID 836 wrote to memory of 676	836	Product Order.exe	28
PID 836 wrote to memory of 676	836	Product Order.exe	28
PID 836 wrote to memory of 564	836	Product Order.exe	30
PID 836 wrote to memory of 564	836	Product Order.exe	30
PID 836 wrote to memory of 564	836	Product Order.exe	30
PID 836 wrote to memory of 564	836	Product Order.exe	30
PID 836 wrote to memory of 1080	836	Product Order.exe	32
PID 836 wrote to memory of 1080	836	Product Order.exe	32
PID 836 wrote to memory of 1080	836	Product Order.exe	32
PID 836 wrote to memory of 1080	836	Product Order.exe	32
PID 836 wrote to memory of 1908	836	Product Order.exe	33
PID 836 wrote to memory of 1908	836	Product Order.exe	33
PID 836 wrote to memory of 1908	836	Product Order.exe	33
PID 836 wrote to memory of 1908	836	Product Order.exe	33
PID 836 wrote to memory of 300	836	Product Order.exe	34
PID 836 wrote to memory of 300	836	Product Order.exe	34
PID 836 wrote to memory of 300	836	Product Order.exe	34
PID 836 wrote to memory of 300	836	Product Order.exe	34
PID 836 wrote to memory of 300	836	Product Order.exe	34
PID 836 wrote to memory of 300	836	Product Order.exe	34
PID 836 wrote to memory of 300	836	Product Order.exe	34
PID 836 wrote to memory of 300	836	Product Order.exe	34
PID 836 wrote to memory of 300	836	Product Order.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Product Order.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Product Order.exe

C:\Users\Admin\AppData\Local\Temp\Product Order.exe
"C:\Users\Admin\AppData\Local\Temp\Product Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NNrzPTbykttn.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NNrzPTbykttn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA90C.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:564
- C:\Users\Admin\AppData\Local\Temp\Product Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Product Order.exe"
  2⤵
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\Product Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Product Order.exe"
  2⤵
  PID:1908
- C:\Users\Admin\AppData\Local\Temp\Product Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Product Order.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA90C.tmp

Filesize
1KB

MD5
fdae4a0fbba199172873b410af5c7e42

SHA1
a5c4612629d871dd62532957f170f21f8a7f27a8

SHA256
5ea514f49b951d476eebf361b960e8e24a0e2eff81b813a9b189125992d51d69

SHA512
328fe4f0c6cceef9660ba517e5d8bc0636a6ab7ad04a50a2eda422b26fad990cc01725b883cb7cbe77a4c678f2423d2df22641d8ecdd3ad63d578c2d62ef4e8d

Download Submit
memory/300-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/300-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/300-97-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/300-78-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/300-77-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/300-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/300-73-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/300-68-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/300-69-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/300-71-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/676-79-0x0000000002620000-0x0000000002660000-memory.dmp

Filesize
256KB

Download
memory/836-56-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/836-54-0x0000000000020000-0x00000000000E8000-memory.dmp

Filesize
800KB

Download
memory/836-67-0x00000000051F0000-0x0000000005224000-memory.dmp

Filesize
208KB

Download
memory/836-55-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download
memory/836-59-0x00000000055A0000-0x000000000560A000-memory.dmp

Filesize
424KB

Download
memory/836-58-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/836-57-0x0000000004BE0000-0x0000000004C20000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads