agenttesla | 5be83ffe52e6517112f47fbda458f69711f7817f64520810b4254f467b0b6fcd

General

Target

PURCHASE ORDER.pdf.exe
Size

609KB
MD5

cc1654f37d3a19d363abae9afd112788
SHA1

1906b798cb71daffe4aa209383467b5dd6f19678
SHA256

ec57c2de3349840ec8ac00000c964ba5c68cda5b954f6ea4ca3ced7098257286
SHA512

5d0a27f73ebd2e3ec0fe120ee2a5e842fa9d73e3a64f003bfb670262e24f46386fd571576da1e0e5aaeca2d1d6bafd7104ea0d3ba6e4c1eab3cf806847689b3a
SSDEEP

12288:czP5fztK7xB73farrIiPBMFCQ4INiqI/V:e5fRKdBbCr0iAJNDa

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.expertsconsultgh.co
Port:
587
Username:
[email protected]
Password:
Oppong.2012
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 2964	1680	PURCHASE ORDER.pdf.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1680	PURCHASE ORDER.pdf.exe
1680	PURCHASE ORDER.pdf.exe
1680	PURCHASE ORDER.pdf.exe
1680	PURCHASE ORDER.pdf.exe
2420	powershell.exe
2440	powershell.exe
2964	RegSvcs.exe
2964	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	PURCHASE ORDER.pdf.exe
Token: SeDebugPrivilege	2964	RegSvcs.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2420	1680	PURCHASE ORDER.pdf.exe	30
PID 1680 wrote to memory of 2420	1680	PURCHASE ORDER.pdf.exe	30
PID 1680 wrote to memory of 2420	1680	PURCHASE ORDER.pdf.exe	30
PID 1680 wrote to memory of 2420	1680	PURCHASE ORDER.pdf.exe	30
PID 1680 wrote to memory of 2440	1680	PURCHASE ORDER.pdf.exe	32
PID 1680 wrote to memory of 2440	1680	PURCHASE ORDER.pdf.exe	32
PID 1680 wrote to memory of 2440	1680	PURCHASE ORDER.pdf.exe	32
PID 1680 wrote to memory of 2440	1680	PURCHASE ORDER.pdf.exe	32
PID 1680 wrote to memory of 2132	1680	PURCHASE ORDER.pdf.exe	34
PID 1680 wrote to memory of 2132	1680	PURCHASE ORDER.pdf.exe	34
PID 1680 wrote to memory of 2132	1680	PURCHASE ORDER.pdf.exe	34
PID 1680 wrote to memory of 2132	1680	PURCHASE ORDER.pdf.exe	34
PID 1680 wrote to memory of 2964	1680	PURCHASE ORDER.pdf.exe	36
PID 1680 wrote to memory of 2964	1680	PURCHASE ORDER.pdf.exe	36
PID 1680 wrote to memory of 2964	1680	PURCHASE ORDER.pdf.exe	36
PID 1680 wrote to memory of 2964	1680	PURCHASE ORDER.pdf.exe	36
PID 1680 wrote to memory of 2964	1680	PURCHASE ORDER.pdf.exe	36
PID 1680 wrote to memory of 2964	1680	PURCHASE ORDER.pdf.exe	36
PID 1680 wrote to memory of 2964	1680	PURCHASE ORDER.pdf.exe	36
PID 1680 wrote to memory of 2964	1680	PURCHASE ORDER.pdf.exe	36
PID 1680 wrote to memory of 2964	1680	PURCHASE ORDER.pdf.exe	36
PID 1680 wrote to memory of 2964	1680	PURCHASE ORDER.pdf.exe	36
PID 1680 wrote to memory of 2964	1680	PURCHASE ORDER.pdf.exe	36
PID 1680 wrote to memory of 2964	1680	PURCHASE ORDER.pdf.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fvTrCsArItt.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fvTrCsArItt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp53AC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp53AC.tmp

Filesize
1KB

MD5
8421a6c151983c3ee7a6b9858083232f

SHA1
3cd0d00aff3e6c335298082321bbe5bbf3e8e8b2

SHA256
d44cc0b5620f5db294a1007ae5a7e8599aec8ee04bbb8525744211fd2c0e2cb9

SHA512
5094fdc18934f3ea7ca3dd654a5f2486eed1a9b7f42f7f8e898e03b815afc384b6659bd03405ac3c333d7e0d8c8c6751fc5f8ea1685dc4f81155a3a30b412bdd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P8B7CW3118P9VIV0WH8V.temp

Filesize
7KB

MD5
daac5b79ad1ced1674aa9485e0c1fbcc

SHA1
3bc38e393991dc6ce5071f7206245018a4344959

SHA256
0da81552d52cac3cf9a1759abbe57378fc40003943552220ac86ae14a20e4be5

SHA512
926338971347368b0bc3882107bbf1cee9616f5175e9e2f865d7caff799e47e22727f95a05d87e631620694114ff77e7128cc1a3a4f9dfb4ed971e76ce896a1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
daac5b79ad1ced1674aa9485e0c1fbcc

SHA1
3bc38e393991dc6ce5071f7206245018a4344959

SHA256
0da81552d52cac3cf9a1759abbe57378fc40003943552220ac86ae14a20e4be5

SHA512
926338971347368b0bc3882107bbf1cee9616f5175e9e2f865d7caff799e47e22727f95a05d87e631620694114ff77e7128cc1a3a4f9dfb4ed971e76ce896a1e

Download Submit
memory/1680-56-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/1680-57-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/1680-58-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/1680-59-0x00000000054A0000-0x0000000005512000-memory.dmp

Filesize
456KB

Download
memory/1680-55-0x0000000004370000-0x00000000043B0000-memory.dmp

Filesize
256KB

Download
memory/1680-54-0x0000000000960000-0x00000000009FE000-memory.dmp

Filesize
632KB

Download
memory/1680-95-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/1680-53-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/2420-79-0x000000006FA70000-0x000000007001B000-memory.dmp

Filesize
5.7MB

Download
memory/2420-98-0x000000006FA70000-0x000000007001B000-memory.dmp

Filesize
5.7MB

Download
memory/2420-76-0x000000006FA70000-0x000000007001B000-memory.dmp

Filesize
5.7MB

Download
memory/2420-88-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/2440-82-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/2440-86-0x000000006FA70000-0x000000007001B000-memory.dmp

Filesize
5.7MB

Download
memory/2440-73-0x000000006FA70000-0x000000007001B000-memory.dmp

Filesize
5.7MB

Download
memory/2440-97-0x000000006FA70000-0x000000007001B000-memory.dmp

Filesize
5.7MB

Download
memory/2440-91-0x00000000026A0000-0x00000000026E0000-memory.dmp

Filesize
256KB

Download
memory/2964-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2964-78-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2964-87-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2964-90-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2964-93-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2964-94-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/2964-72-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2964-96-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/2964-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2964-81-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2964-99-0x0000000074AE0000-0x00000000751CE000-memory.dmp

Filesize
6.9MB

Download
memory/2964-100-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads