agenttesla | 7998f63698788983a274a8615a93e3a14153516e5c20eb8e94911ac6e14feb28

General

Target

SWIFT.pdf.exe
Size

538KB
MD5

4b16c4589ce3211b6f45051b5fb422b0
SHA1

2b60d36184571a1bc35c335ab8941c2bdc7f02b2
SHA256

ac04f04d01ae5428a8017be37d7d1352ad3212852c259d1a0e2f775969ecc36c
SHA512

38796bb1952559726ed4f47344962fa8dd7b051b12266f9dbfc149b5262f99f24803416ef7986577021b96bc118b39d05c95be9830b1f29ffb23c33c751b5526
SSDEEP

6144:Jf4NOk8oV/BR1z/8XIppg4P/l27t9mrvlRlOYADKgt5Q1OW4kXQAN2Tr3+oUSWXh:hi+9m7H2RqF4kXQf7WX42Yu26NCc6P

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.expertsconsultgh.co
Port:
587
Username:
[email protected]
Password:
Oppong.2012
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2412 set thread context of 2216	2412	SWIFT.pdf.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2412	SWIFT.pdf.exe
2412	SWIFT.pdf.exe
2412	SWIFT.pdf.exe
2680	powershell.exe
2668	powershell.exe
2216	RegSvcs.exe
2216	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	SWIFT.pdf.exe
Token: SeDebugPrivilege	2216	RegSvcs.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2680	2412	SWIFT.pdf.exe	30
PID 2412 wrote to memory of 2680	2412	SWIFT.pdf.exe	30
PID 2412 wrote to memory of 2680	2412	SWIFT.pdf.exe	30
PID 2412 wrote to memory of 2680	2412	SWIFT.pdf.exe	30
PID 2412 wrote to memory of 2668	2412	SWIFT.pdf.exe	32
PID 2412 wrote to memory of 2668	2412	SWIFT.pdf.exe	32
PID 2412 wrote to memory of 2668	2412	SWIFT.pdf.exe	32
PID 2412 wrote to memory of 2668	2412	SWIFT.pdf.exe	32
PID 2412 wrote to memory of 2492	2412	SWIFT.pdf.exe	34
PID 2412 wrote to memory of 2492	2412	SWIFT.pdf.exe	34
PID 2412 wrote to memory of 2492	2412	SWIFT.pdf.exe	34
PID 2412 wrote to memory of 2492	2412	SWIFT.pdf.exe	34
PID 2412 wrote to memory of 2216	2412	SWIFT.pdf.exe	36
PID 2412 wrote to memory of 2216	2412	SWIFT.pdf.exe	36
PID 2412 wrote to memory of 2216	2412	SWIFT.pdf.exe	36
PID 2412 wrote to memory of 2216	2412	SWIFT.pdf.exe	36
PID 2412 wrote to memory of 2216	2412	SWIFT.pdf.exe	36
PID 2412 wrote to memory of 2216	2412	SWIFT.pdf.exe	36
PID 2412 wrote to memory of 2216	2412	SWIFT.pdf.exe	36
PID 2412 wrote to memory of 2216	2412	SWIFT.pdf.exe	36
PID 2412 wrote to memory of 2216	2412	SWIFT.pdf.exe	36
PID 2412 wrote to memory of 2216	2412	SWIFT.pdf.exe	36
PID 2412 wrote to memory of 2216	2412	SWIFT.pdf.exe	36
PID 2412 wrote to memory of 2216	2412	SWIFT.pdf.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SWIFT.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SWIFT.pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UOGegcK.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UOGegcK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp56D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp56D.tmp

Filesize
1KB

MD5
c5123042a082ab5d5eb987a9379abcfb

SHA1
0a2a52d3d83525616fc094ac33b4b640504952f3

SHA256
7c5f155cf221c3f76084f367907ee24d5cee0cc134bcb6ddbf2957fb7ea8d1e6

SHA512
fd7f3a2445760d2e9244df907f761c042fd48c420f3c797b9e09bcf3dd3bbbcaa6dd10c0c4ab0eb002864bf8224f1a7acdb092db9f4db55f271fa360154d12b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6H752JDJ9BQB46UOWY6T.temp

Filesize
7KB

MD5
00e23732a2cabf39d759d2cb9da077f0

SHA1
3b30948431f96cc1c894c39d9701b085648f311c

SHA256
94d640eb950176f48af8a2aaafb8176a241975b5710399b285c250822f73fa6e

SHA512
9c07a8e2ed9029848f7895e5c102ebb2de2ab54cfd94e28778906e3d304743498b9be9fff03724c81f804ea949a1dcbbf4af1b3dedfd2a456b554bcece6cd665

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
00e23732a2cabf39d759d2cb9da077f0

SHA1
3b30948431f96cc1c894c39d9701b085648f311c

SHA256
94d640eb950176f48af8a2aaafb8176a241975b5710399b285c250822f73fa6e

SHA512
9c07a8e2ed9029848f7895e5c102ebb2de2ab54cfd94e28778906e3d304743498b9be9fff03724c81f804ea949a1dcbbf4af1b3dedfd2a456b554bcece6cd665

Download Submit
memory/2216-41-0x0000000074180000-0x000000007486E000-memory.dmp

Filesize
6.9MB

Download
memory/2216-36-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-34-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-30-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-42-0x0000000002230000-0x0000000002270000-memory.dmp

Filesize
256KB

Download
memory/2216-46-0x0000000074180000-0x000000007486E000-memory.dmp

Filesize
6.9MB

Download
memory/2216-21-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-23-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2412-8-0x00000000054A0000-0x000000000550A000-memory.dmp

Filesize
424KB

Download
memory/2412-37-0x0000000074180000-0x000000007486E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-1-0x0000000074180000-0x000000007486E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-2-0x00000000005F0000-0x0000000000630000-memory.dmp

Filesize
256KB

Download
memory/2412-7-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2412-6-0x0000000000410000-0x0000000000418000-memory.dmp

Filesize
32KB

Download
memory/2412-3-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2412-5-0x00000000005F0000-0x0000000000630000-memory.dmp

Filesize
256KB

Download
memory/2412-4-0x0000000074180000-0x000000007486E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-0-0x00000000001F0000-0x000000000027A000-memory.dmp

Filesize
552KB

Download
memory/2668-33-0x0000000002120000-0x0000000002160000-memory.dmp

Filesize
256KB

Download
memory/2668-38-0x000000006DCA0000-0x000000006E24B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-39-0x0000000002120000-0x0000000002160000-memory.dmp

Filesize
256KB

Download
memory/2668-43-0x0000000002120000-0x0000000002160000-memory.dmp

Filesize
256KB

Download
memory/2668-44-0x000000006DCA0000-0x000000006E24B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-26-0x000000006DCA0000-0x000000006E24B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-40-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/2680-32-0x000000006DCA0000-0x000000006E24B000-memory.dmp

Filesize
5.7MB

Download
memory/2680-28-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download
memory/2680-45-0x000000006DCA0000-0x000000006E24B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads