agenttesla | 83072f7973b5645ad12be449c1d1b82a1f89bcaacd67e40e9ffcce51ad523996

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QUOTATION_AUG7FIBA00541·PDF.scr
Size

1.9MB
MD5

d4911d962a6859d8544de644b160e91b
SHA1

61029ad3b67efdfd51b7a665d4378cb6f7082e1d
SHA256

b3ab80d90b42dd4e93015b6133369412603a9a5f1209651a4aa50abc43915a44
SHA512

c78618c4f6f73b9347f31be8760fc30220acd6fb9f3eb3cd55b319e359787e47e3456659f6a8e2d95f5de5cb814c484354fd583ec5e1cf65d315bec0ae298e88
SSDEEP

49152:tv30cImOG1HGdMdwx0uuNceyUNdPWVc5:tv3YTkceyUN9WV

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
nxhvhvlhjbskrvmk
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	QUOTATION_AUG7FIBA00541·PDF.scr

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 800 set thread context of 1560	800	QUOTATION_AUG7FIBA00541·PDF.scr	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1132	ipconfig.exe
3428	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1560	aspnet_compiler.exe
1560	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	800	QUOTATION_AUG7FIBA00541·PDF.scr
Token: SeDebugPrivilege	1560	aspnet_compiler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1560	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 4252	800	QUOTATION_AUG7FIBA00541·PDF.scr	87
PID 800 wrote to memory of 4252	800	QUOTATION_AUG7FIBA00541·PDF.scr	87
PID 800 wrote to memory of 4252	800	QUOTATION_AUG7FIBA00541·PDF.scr	87
PID 4252 wrote to memory of 1132	4252	cmd.exe	89
PID 4252 wrote to memory of 1132	4252	cmd.exe	89
PID 4252 wrote to memory of 1132	4252	cmd.exe	89
PID 800 wrote to memory of 2972	800	QUOTATION_AUG7FIBA00541·PDF.scr	94
PID 800 wrote to memory of 2972	800	QUOTATION_AUG7FIBA00541·PDF.scr	94
PID 800 wrote to memory of 2972	800	QUOTATION_AUG7FIBA00541·PDF.scr	94
PID 2972 wrote to memory of 3428	2972	cmd.exe	96
PID 2972 wrote to memory of 3428	2972	cmd.exe	96
PID 2972 wrote to memory of 3428	2972	cmd.exe	96
PID 800 wrote to memory of 1560	800	QUOTATION_AUG7FIBA00541·PDF.scr	97
PID 800 wrote to memory of 1560	800	QUOTATION_AUG7FIBA00541·PDF.scr	97
PID 800 wrote to memory of 1560	800	QUOTATION_AUG7FIBA00541·PDF.scr	97
PID 800 wrote to memory of 1560	800	QUOTATION_AUG7FIBA00541·PDF.scr	97
PID 800 wrote to memory of 1560	800	QUOTATION_AUG7FIBA00541·PDF.scr	97
PID 800 wrote to memory of 1560	800	QUOTATION_AUG7FIBA00541·PDF.scr	97
PID 800 wrote to memory of 1560	800	QUOTATION_AUG7FIBA00541·PDF.scr	97
PID 800 wrote to memory of 1560	800	QUOTATION_AUG7FIBA00541·PDF.scr	97

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUG7FIBA00541·PDF.scr
"C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUG7FIBA00541·PDF.scr" /S
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:3428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/800-0-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/800-1-0x0000000000610000-0x0000000000800000-memory.dmp

Filesize
1.9MB

Download
memory/800-2-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/800-3-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/800-4-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/800-5-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/800-6-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-7-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-9-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-11-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-13-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-15-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-17-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-19-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-21-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-23-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-25-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-27-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-29-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-31-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-33-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-35-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-37-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-39-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-41-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-43-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-45-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-47-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-49-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-51-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-53-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-55-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-57-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-59-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-61-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-63-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-65-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-67-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-69-0x0000000006730000-0x00000000067F4000-memory.dmp

Filesize
784KB

Download
memory/800-1082-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/800-1083-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/800-1084-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/800-1087-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1560-1089-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1560-1088-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1560-1090-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

Filesize
64KB

Download
memory/1560-1091-0x0000000004FB0000-0x0000000005016000-memory.dmp

Filesize
408KB

Download
memory/1560-1092-0x0000000005D50000-0x0000000005DA0000-memory.dmp

Filesize
320KB

Download
memory/1560-1093-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download