agenttesla | aabea50d1d03302c92cd5585b6eeb19afd6ca70d8d7e9e2f8b5e3250853c42bd

General

Target

Quote WQ102474.pdf.exe
Size

662KB
MD5

b7e44d38cc19d4ef0855dbc73c811887
SHA1

1a0cfa1e28567de71e08e896b31b1a6c356fe16b
SHA256

a8ee0501ce8a092cc0cdbbfd3572db5c3ad505e054ffc24e4af4b6678726f850
SHA512

c154eadae3d0d767a82c21d97896ea1d0b302765704c1ba156ea307ebba2d34b60cfde355968342eacc6350bcc41f0d3a4807e767cea022684c8cb508f82d24d
SSDEEP

12288:iVp0K8s6owaL9iUdU4b2x3STOM4jsN0sPQQZ/yMUwN4T:iVp0K8s6owahiUdUQ2x3gOMDN0sPQQ9b

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
logs@modernplesticgoa.com
Password:
JUGCRsm9
Email To:
logs@modernplesticgoa.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4748 set thread context of 392	4748	Quote WQ102474.pdf.exe	94

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 392	4748	Quote WQ102474.pdf.exe	94
PID 4748 wrote to memory of 392	4748	Quote WQ102474.pdf.exe	94
PID 4748 wrote to memory of 392	4748	Quote WQ102474.pdf.exe	94
PID 4748 wrote to memory of 392	4748	Quote WQ102474.pdf.exe	94
PID 4748 wrote to memory of 392	4748	Quote WQ102474.pdf.exe	94
PID 4748 wrote to memory of 392	4748	Quote WQ102474.pdf.exe	94
PID 4748 wrote to memory of 392	4748	Quote WQ102474.pdf.exe	94
PID 4748 wrote to memory of 392	4748	Quote WQ102474.pdf.exe	94

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Quote WQ102474.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Quote WQ102474.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:392

Network

DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

203.151.224.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

203.151.224.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

202.74.101.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.74.101.95.in-addr.arpa

IN PTR

Response

202.74.101.95.in-addr.arpa

IN PTR

a95-101-74-202deploystaticakamaitechnologiescom

20.189.173.9:443

322 B
7
96.16.110.41:443

322 B
7
87.248.202.1:80

322 B
7
87.248.202.1:80

322 B
7

8.8.8.8:53

208.194.73.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

208.194.73.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

203.151.224.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

203.151.224.20.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

202.74.101.95.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

202.74.101.95.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-140-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/392-146-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/392-145-0x0000000006B90000-0x0000000006D52000-memory.dmp

Filesize
1.8MB

Download
memory/392-144-0x0000000006970000-0x00000000069C0000-memory.dmp

Filesize
320KB

Download
memory/392-143-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/392-142-0x0000000005650000-0x00000000056B6000-memory.dmp

Filesize
408KB

Download
memory/4748-136-0x0000000004F20000-0x0000000004F2A000-memory.dmp

Filesize
40KB

Download
memory/4748-139-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4748-138-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4748-137-0x0000000005190000-0x000000000522C000-memory.dmp

Filesize
624KB

Download
memory/4748-133-0x0000000000340000-0x00000000003EC000-memory.dmp

Filesize
688KB

Download
memory/4748-135-0x0000000004D80000-0x0000000004E12000-memory.dmp

Filesize
584KB

Download
memory/4748-134-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.