agenttesla | 39854874b738bcff91ff8759db8cad631739d5c2309b675d1bbf6d60da15d3f7

Analysis

max time kernel
52s
max time network
31s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
28/06/2023, 09:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

new project product.exe
Size

674KB
MD5

1a9b06437a3571135260921c5a904c84
SHA1

6ba1d1e14896b8a91749dbe8e4d84689fbef98bb
SHA256

195306e2bee1f209566b224cc483adaf4431a74851f8138fb1472c84af3b4cc0
SHA512

efc47df5ad13b46f2dc579527ca24cb2a01b9476d8ec48cd055946cefba0061809069a1ad292b782c3435e5b4814b341c4ee57d64e7c2fcffb52d4c43687a698
SSDEEP

12288:9P3WF9dtHElHWSAlfqWysRHCynETPEMIAdj9fU0mYuWgBG/b:9PETtkFWDlfMwhnETB+0mfBG/

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.gimpex-imerys.com
Port:
587
Username:
[email protected]
Password:
h45ZVRb6(IMF
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	new project product.exe
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	new project product.exe
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	new project product.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 1764	1628	new project product.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1628	new project product.exe
1628	new project product.exe
1628	new project product.exe
1628	new project product.exe
1628	new project product.exe
1628	new project product.exe
1288	powershell.exe
1764	new project product.exe
1764	new project product.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	new project product.exe
Token: SeDebugPrivilege	1764	new project product.exe
Token: SeDebugPrivilege	1288	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1288	1628	new project product.exe	28
PID 1628 wrote to memory of 1288	1628	new project product.exe	28
PID 1628 wrote to memory of 1288	1628	new project product.exe	28
PID 1628 wrote to memory of 1288	1628	new project product.exe	28
PID 1628 wrote to memory of 544	1628	new project product.exe	30
PID 1628 wrote to memory of 544	1628	new project product.exe	30
PID 1628 wrote to memory of 544	1628	new project product.exe	30
PID 1628 wrote to memory of 544	1628	new project product.exe	30
PID 1628 wrote to memory of 1400	1628	new project product.exe	32
PID 1628 wrote to memory of 1400	1628	new project product.exe	32
PID 1628 wrote to memory of 1400	1628	new project product.exe	32
PID 1628 wrote to memory of 1400	1628	new project product.exe	32
PID 1628 wrote to memory of 1400	1628	new project product.exe	32
PID 1628 wrote to memory of 1400	1628	new project product.exe	32
PID 1628 wrote to memory of 1400	1628	new project product.exe	32
PID 1628 wrote to memory of 1764	1628	new project product.exe	33
PID 1628 wrote to memory of 1764	1628	new project product.exe	33
PID 1628 wrote to memory of 1764	1628	new project product.exe	33
PID 1628 wrote to memory of 1764	1628	new project product.exe	33
PID 1628 wrote to memory of 1764	1628	new project product.exe	33
PID 1628 wrote to memory of 1764	1628	new project product.exe	33
PID 1628 wrote to memory of 1764	1628	new project product.exe	33
PID 1628 wrote to memory of 1764	1628	new project product.exe	33
PID 1628 wrote to memory of 1764	1628	new project product.exe	33
PID 1628 wrote to memory of 1764	1628	new project product.exe	33
PID 1628 wrote to memory of 1764	1628	new project product.exe	33
PID 1628 wrote to memory of 1764	1628	new project product.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	new project product.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1306246566-3334493410-3785284834-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	new project product.exe

C:\Users\Admin\AppData\Local\Temp\new project product.exe
"C:\Users\Admin\AppData\Local\Temp\new project product.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BxnCOa.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BxnCOa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB1D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:544
- C:\Users\Admin\AppData\Local\Temp\new project product.exe
  "C:\Users\Admin\AppData\Local\Temp\new project product.exe"
  2⤵
  PID:1400
- C:\Users\Admin\AppData\Local\Temp\new project product.exe
  "C:\Users\Admin\AppData\Local\Temp\new project product.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCB1D.tmp

Filesize
1KB

MD5
da58f5ce9c35fbbd74181a8b4e685dc5

SHA1
d95d98b43a38412c1c12ff7b59b63bba04b25fa3

SHA256
004caa3c211fe6665019c3120f47fec2fa33cb8b196a71b8a43e06df9bb2ddfc

SHA512
d10d6c97b7590b12e668d7712dc4d1b2f93ed295f4c979a19a03d7bbd46152e5c7ff0938cb3948b760e073944ada21df5191eec2917c843108542e0af1c2a07b

Download Submit
memory/1288-77-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/1288-79-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download
memory/1628-55-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/1628-56-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/1628-57-0x0000000004EE0000-0x0000000004F20000-memory.dmp

Filesize
256KB

Download
memory/1628-58-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/1628-59-0x0000000007FE0000-0x0000000008060000-memory.dmp

Filesize
512KB

Download
memory/1628-54-0x0000000000FB0000-0x000000000105E000-memory.dmp

Filesize
696KB

Download
memory/1764-65-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1764-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1764-68-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1764-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1764-74-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1764-76-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1764-67-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1764-66-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1764-78-0x0000000000680000-0x00000000006C0000-memory.dmp

Filesize
256KB

Download