agenttesla | 2ccceab40789542a707dac6d7bb563dd656a74e5b2e46fdd0b06fc92fce78fdb

General

Target

RFQ-0001120306790.exe
Size

333KB
MD5

4aa0212e803011d0abf7516bf779c554
SHA1

5c3d6aa9984c5828d51d7676bb06400ab1c4edda
SHA256

6d61fb56434326e96c017d57bcc4a0f2e1c3a98872d0262e2034f4e28b38ef87
SHA512

d9fdc686b06e45b85cef7c65943eb2af4fd647ed1438d1cc5259929fcdc1810ce7328c26811062045e0a2fbce047cb26b0295378dd0535a5831f5850e45e15c9
SSDEEP

6144:BnPdudwDs7mdEOkv9Lg/hcV3w+Xs4KPOto0AldiBrgCNHtXj0Ow2XqE+:BnPdw7ac9k8nc5OvLdNHtAOwq+

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
3032	nqhcvd.exe
1192	nqhcvd.exe

Loads dropped DLL 2 IoCs

pid	Process
1188	RFQ-0001120306790.exe
3032	nqhcvd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nqhcvd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nqhcvd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nqhcvd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 1192	3032	nqhcvd.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1192	nqhcvd.exe
1192	nqhcvd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3032	nqhcvd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	nqhcvd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 3032	1188	RFQ-0001120306790.exe	28
PID 1188 wrote to memory of 3032	1188	RFQ-0001120306790.exe	28
PID 1188 wrote to memory of 3032	1188	RFQ-0001120306790.exe	28
PID 1188 wrote to memory of 3032	1188	RFQ-0001120306790.exe	28
PID 3032 wrote to memory of 1192	3032	nqhcvd.exe	29
PID 3032 wrote to memory of 1192	3032	nqhcvd.exe	29
PID 3032 wrote to memory of 1192	3032	nqhcvd.exe	29
PID 3032 wrote to memory of 1192	3032	nqhcvd.exe	29
PID 3032 wrote to memory of 1192	3032	nqhcvd.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nqhcvd.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nqhcvd.exe

C:\Users\Admin\AppData\Local\Temp\RFQ-0001120306790.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-0001120306790.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\nqhcvd.exe
  "C:\Users\Admin\AppData\Local\Temp\nqhcvd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\nqhcvd.exe
    "C:\Users\Admin\AppData\Local\Temp\nqhcvd.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\baddzvhwk.jdm

Filesize
262KB

MD5
b1a37ca249b07f7d1e6ee6a93bd1f387

SHA1
e041217e8a19eb2f4fc7025575cfb8c5c7e2001e

SHA256
26427ae3d25621ce9c2505a801637b643bb60673d588f4396e65e30d3d25fff9

SHA512
c846b4e3e4aabfe989b0e2b050afb34141bf3f5dd932622e44d4e54b363287757b1b31a2d549960b1f48f9811d666457be8ec0e07a19a931368b84ffab9c1fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqhcvd.exe

Filesize
171KB

MD5
e3f01ddaebd17109dd8ac24ac6cfb071

SHA1
0617c14804c5b12cc54f3963196a8fc312f27886

SHA256
c82d610a6a168120809a0c05dd53c9e9b8458d66d13c5fe5cbf2dcf7eef95a5e

SHA512
c5bf33b05026b7bde4f8857709c48fdeeb9cbff6819fa2eedd12f50515b194cc65b6e5efb534663676207db191f77a2656c62354f45eb2a63e9806538331913a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqhcvd.exe

Filesize
171KB

MD5
e3f01ddaebd17109dd8ac24ac6cfb071

SHA1
0617c14804c5b12cc54f3963196a8fc312f27886

SHA256
c82d610a6a168120809a0c05dd53c9e9b8458d66d13c5fe5cbf2dcf7eef95a5e

SHA512
c5bf33b05026b7bde4f8857709c48fdeeb9cbff6819fa2eedd12f50515b194cc65b6e5efb534663676207db191f77a2656c62354f45eb2a63e9806538331913a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nqhcvd.exe

Filesize
171KB

MD5
e3f01ddaebd17109dd8ac24ac6cfb071

SHA1
0617c14804c5b12cc54f3963196a8fc312f27886

SHA256
c82d610a6a168120809a0c05dd53c9e9b8458d66d13c5fe5cbf2dcf7eef95a5e

SHA512
c5bf33b05026b7bde4f8857709c48fdeeb9cbff6819fa2eedd12f50515b194cc65b6e5efb534663676207db191f77a2656c62354f45eb2a63e9806538331913a

Download Submit
\Users\Admin\AppData\Local\Temp\nqhcvd.exe

Filesize
171KB

MD5
e3f01ddaebd17109dd8ac24ac6cfb071

SHA1
0617c14804c5b12cc54f3963196a8fc312f27886

SHA256
c82d610a6a168120809a0c05dd53c9e9b8458d66d13c5fe5cbf2dcf7eef95a5e

SHA512
c5bf33b05026b7bde4f8857709c48fdeeb9cbff6819fa2eedd12f50515b194cc65b6e5efb534663676207db191f77a2656c62354f45eb2a63e9806538331913a

Download Submit
\Users\Admin\AppData\Local\Temp\nqhcvd.exe

Filesize
171KB

MD5
e3f01ddaebd17109dd8ac24ac6cfb071

SHA1
0617c14804c5b12cc54f3963196a8fc312f27886

SHA256
c82d610a6a168120809a0c05dd53c9e9b8458d66d13c5fe5cbf2dcf7eef95a5e

SHA512
c5bf33b05026b7bde4f8857709c48fdeeb9cbff6819fa2eedd12f50515b194cc65b6e5efb534663676207db191f77a2656c62354f45eb2a63e9806538331913a

Download Submit
memory/1192-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-10-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-17-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/1192-16-0x0000000000650000-0x0000000000680000-memory.dmp

Filesize
192KB

Download
memory/1192-18-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/1192-19-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/1192-20-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-21-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-6-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing