agenttesla | 574febaebd2d121ff74f363e268e4bf652841e284e1db03960d1f26338ea0eea

Analysis

max time kernel
62s
max time network
75s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30/06/2023, 13:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PO017pdfexeexeexe.exe
Size

827KB
MD5

00ec105e5693996ddeacc232ae4fe0b8
SHA1

cb642f5bd20eb7a47b73d52399993a393e078bd3
SHA256

574febaebd2d121ff74f363e268e4bf652841e284e1db03960d1f26338ea0eea
SHA512

0fae7d8af49f4f8bec6ed616a80f505440fc1f507cac6d81cc671e9edb4cfe78acf7937c181394f1c8209cbd0d74fd7b175c983308b51bd664070f0b92b9ccc8
SSDEEP

12288:4jOtvHMm5x6kqP8JUXnoswX0/Lh+OOd0Dz7RQsUa7sMQHjGV5:UOtT5xNcxXnYE9vOQpHUa7aKV5

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6189714391:AAFjToOdqxqti463Jxb44FuKRmVMyNjH1c8/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
1892	PO.exe
1656	PO.exe

Loads dropped DLL 5 IoCs

pid	Process
1060	PO017pdfexeexeexe.exe
1060	PO017pdfexeexeexe.exe
1060	PO017pdfexeexeexe.exe
1060	PO017pdfexeexeexe.exe
1892	PO.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe
Key opened	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe
Key opened	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Windows\CurrentVersion\Run\SzvWIzD = "C:\\Users\\Admin\\AppData\\Roaming\\SzvWIzD\\SzvWIzD.exe"	PO.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1892 set thread context of 1656	1892	PO.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1656	PO.exe
1656	PO.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	PO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1800	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1656	PO.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 1892	1060	PO017pdfexeexeexe.exe	29
PID 1060 wrote to memory of 1892	1060	PO017pdfexeexeexe.exe	29
PID 1060 wrote to memory of 1892	1060	PO017pdfexeexeexe.exe	29
PID 1060 wrote to memory of 1892	1060	PO017pdfexeexeexe.exe	29
PID 1892 wrote to memory of 1656	1892	PO.exe	30
PID 1892 wrote to memory of 1656	1892	PO.exe	30
PID 1892 wrote to memory of 1656	1892	PO.exe	30
PID 1892 wrote to memory of 1656	1892	PO.exe	30
PID 1892 wrote to memory of 1656	1892	PO.exe	30
PID 1892 wrote to memory of 1656	1892	PO.exe	30
PID 1892 wrote to memory of 1656	1892	PO.exe	30
PID 1892 wrote to memory of 1656	1892	PO.exe	30
PID 1892 wrote to memory of 1656	1892	PO.exe	30

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	PO.exe

C:\Users\Admin\AppData\Local\Temp\PO017pdfexeexeexe.exe
"C:\Users\Admin\AppData\Local\Temp\PO017pdfexeexeexe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:1656

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabDEBE.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
666KB

MD5
d06351a5211d2e57a41b6abb661a0eae

SHA1
4bcc43cf403b94f12d145d2fb298060736cdef17

SHA256
c531a66df6fe605e2a6dd6d4d865b5c642f3baccb975ee595330fa14c52844d1

SHA512
a4b6158d5a36eb131910e771d69f127641cf44c4a6a0d1e8b15e92b64f004404ccbe389e6befa651149c6c08e87d22d95677e9eefa53735faee46b423d445f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
666KB

MD5
d06351a5211d2e57a41b6abb661a0eae

SHA1
4bcc43cf403b94f12d145d2fb298060736cdef17

SHA256
c531a66df6fe605e2a6dd6d4d865b5c642f3baccb975ee595330fa14c52844d1

SHA512
a4b6158d5a36eb131910e771d69f127641cf44c4a6a0d1e8b15e92b64f004404ccbe389e6befa651149c6c08e87d22d95677e9eefa53735faee46b423d445f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
666KB

MD5
d06351a5211d2e57a41b6abb661a0eae

SHA1
4bcc43cf403b94f12d145d2fb298060736cdef17

SHA256
c531a66df6fe605e2a6dd6d4d865b5c642f3baccb975ee595330fa14c52844d1

SHA512
a4b6158d5a36eb131910e771d69f127641cf44c4a6a0d1e8b15e92b64f004404ccbe389e6befa651149c6c08e87d22d95677e9eefa53735faee46b423d445f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
666KB

MD5
d06351a5211d2e57a41b6abb661a0eae

SHA1
4bcc43cf403b94f12d145d2fb298060736cdef17

SHA256
c531a66df6fe605e2a6dd6d4d865b5c642f3baccb975ee595330fa14c52844d1

SHA512
a4b6158d5a36eb131910e771d69f127641cf44c4a6a0d1e8b15e92b64f004404ccbe389e6befa651149c6c08e87d22d95677e9eefa53735faee46b423d445f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg

Filesize
79KB

MD5
8c010ac115fd43cbcd857b65eb55b22f

SHA1
0363a3fbe7068585418e3da16a95c5134f1541e6

SHA256
d1b6efdb53ac09e116e613f2f07ab4b43bdd87be9539cbb54c728494578c864b

SHA512
50235dcd8fe0a36c7ffaf401ad7c0c99f8c1d3f805bbb638b1570b4808db69e86b1351986692a031fbd63a66e13e4decb8f574f91284940a1dd3eb07804abf53

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
666KB

MD5
d06351a5211d2e57a41b6abb661a0eae

SHA1
4bcc43cf403b94f12d145d2fb298060736cdef17

SHA256
c531a66df6fe605e2a6dd6d4d865b5c642f3baccb975ee595330fa14c52844d1

SHA512
a4b6158d5a36eb131910e771d69f127641cf44c4a6a0d1e8b15e92b64f004404ccbe389e6befa651149c6c08e87d22d95677e9eefa53735faee46b423d445f57

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
666KB

MD5
d06351a5211d2e57a41b6abb661a0eae

SHA1
4bcc43cf403b94f12d145d2fb298060736cdef17

SHA256
c531a66df6fe605e2a6dd6d4d865b5c642f3baccb975ee595330fa14c52844d1

SHA512
a4b6158d5a36eb131910e771d69f127641cf44c4a6a0d1e8b15e92b64f004404ccbe389e6befa651149c6c08e87d22d95677e9eefa53735faee46b423d445f57

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
666KB

MD5
d06351a5211d2e57a41b6abb661a0eae

SHA1
4bcc43cf403b94f12d145d2fb298060736cdef17

SHA256
c531a66df6fe605e2a6dd6d4d865b5c642f3baccb975ee595330fa14c52844d1

SHA512
a4b6158d5a36eb131910e771d69f127641cf44c4a6a0d1e8b15e92b64f004404ccbe389e6befa651149c6c08e87d22d95677e9eefa53735faee46b423d445f57

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
666KB

MD5
d06351a5211d2e57a41b6abb661a0eae

SHA1
4bcc43cf403b94f12d145d2fb298060736cdef17

SHA256
c531a66df6fe605e2a6dd6d4d865b5c642f3baccb975ee595330fa14c52844d1

SHA512
a4b6158d5a36eb131910e771d69f127641cf44c4a6a0d1e8b15e92b64f004404ccbe389e6befa651149c6c08e87d22d95677e9eefa53735faee46b423d445f57

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
666KB

MD5
d06351a5211d2e57a41b6abb661a0eae

SHA1
4bcc43cf403b94f12d145d2fb298060736cdef17

SHA256
c531a66df6fe605e2a6dd6d4d865b5c642f3baccb975ee595330fa14c52844d1

SHA512
a4b6158d5a36eb131910e771d69f127641cf44c4a6a0d1e8b15e92b64f004404ccbe389e6befa651149c6c08e87d22d95677e9eefa53735faee46b423d445f57

Download Submit
memory/1060-58-0x0000000002190000-0x0000000002192000-memory.dmp

Filesize
8KB

Download
memory/1656-86-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1656-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1656-120-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/1656-95-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/1656-94-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1656-92-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1656-89-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1656-84-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1656-85-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1656-88-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1800-75-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1800-59-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1800-79-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1892-77-0x0000000002150000-0x0000000002190000-memory.dmp

Filesize
256KB

Download
memory/1892-74-0x0000000000A80000-0x0000000000B2C000-memory.dmp

Filesize
688KB

Download
memory/1892-76-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/1892-82-0x00000000059E0000-0x0000000005A4A000-memory.dmp

Filesize
424KB

Download
memory/1892-81-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1892-80-0x0000000002150000-0x0000000002190000-memory.dmp

Filesize
256KB

Download