agenttesla | e012fece84a21dbbf5ca0746d60ffbda043abd87571df6154adaa9d0d6cb1acb

General

Target

SHIPPING DOCUMENT.exe
Size

304KB
MD5

55e427eeb55dcdd1f8f9c28ecb7c1645
SHA1

59aaf8d4aa1ff5d3860b85ef9c292143dda2031a
SHA256

2a6df4ce52a6d75e94e0e70e4892db53106458bbe3a18efcadfd2150bab937f4
SHA512

db7a58a28f6fb4ae5ec3f4b7755f9d7645b84ce53f749593d368d351e28ed3b73951dbf4d78e75d07078ebe35e9a3173776be8742eea9d74fca317c0482552e0
SSDEEP

6144:/Ya6PNXzgewyJ46TVKISoft6h53zzXb8NIGDrgqjWqV49HAa:/Y9mI4YVJe3zKIoUqjxha

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Loads dropped DLL 1 IoCs

pid	Process
4392	SHIPPING DOCUMENT.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SHIPPING DOCUMENT.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SHIPPING DOCUMENT.exe
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SHIPPING DOCUMENT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ycdwx = "C:\\Users\\Admin\\AppData\\Roaming\\Ycdwx\\Ycdwx.exe"	SHIPPING DOCUMENT.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	api.ipify.org
26	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4392 set thread context of 1916	4392	SHIPPING DOCUMENT.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1916	SHIPPING DOCUMENT.exe
1916	SHIPPING DOCUMENT.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4392	SHIPPING DOCUMENT.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	SHIPPING DOCUMENT.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 1916	4392	SHIPPING DOCUMENT.exe	85
PID 4392 wrote to memory of 1916	4392	SHIPPING DOCUMENT.exe	85
PID 4392 wrote to memory of 1916	4392	SHIPPING DOCUMENT.exe	85
PID 4392 wrote to memory of 1916	4392	SHIPPING DOCUMENT.exe	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SHIPPING DOCUMENT.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SHIPPING DOCUMENT.exe

C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.exe
  "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENT.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa862A.tmp\egafrron.dll

Filesize
88KB

MD5
afbc1f6d2ef8f6eef984f822298e1916

SHA1
d8b93398f68ab668ec4bc900754078ecf5a9c2d4

SHA256
22b5060c41b75b72a3c90783e6d600b079dcd3234b37c05b6c93e08fd8af4140

SHA512
840f319942dd869e8b284299f2318a581ae4cdc6054ed3176a8937dcb67fa76a86ba6f21e9c219aa5d4e3c57049106c6dcd4bbe445173e77021b62124a14c819

Download Submit
memory/1916-147-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1916-149-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1916-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1916-158-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1916-143-0x0000000004B60000-0x0000000005104000-memory.dmp

Filesize
5.6MB

Download
memory/1916-144-0x00000000049D0000-0x0000000004A36000-memory.dmp

Filesize
408KB

Download
memory/1916-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1916-146-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1916-140-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1916-148-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1916-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1916-150-0x0000000005CB0000-0x0000000005D00000-memory.dmp

Filesize
320KB

Download
memory/1916-151-0x0000000005D00000-0x0000000005EC2000-memory.dmp

Filesize
1.8MB

Download
memory/1916-152-0x0000000005EE0000-0x0000000005F72000-memory.dmp

Filesize
584KB

Download
memory/1916-153-0x0000000006000000-0x000000000600A000-memory.dmp

Filesize
40KB

Download
memory/1916-155-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1916-156-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/1916-157-0x0000000004B50000-0x0000000004B60000-memory.dmp

Filesize
64KB

Download
memory/4392-139-0x00000000022E0000-0x00000000022E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing