agenttesla | 88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2

General

Target

88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2_JC.exe
Size

489KB
MD5

80db50a5a702d2911e7e2d1ebaf80361
SHA1

38981edc6ce8e39eb9644d1e8942a4317b17c43f
SHA256

88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2
SHA512

e1240fe0ab90e5e1078f90a6f127b62aec5be8f3850cb9c25bf8e2127fccb32a464137b3b77673920c4a72b33c72243d0047c3bf5fd04cafd035c78b0214fde0
SSDEEP

12288:NnPdEaDT2T0FvA8ZTI4GEIcdkETQ16fWQ6NU:BPdhyT0+U02IcmgqNU

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
2340	cdudhgmre.exe
2692	cdudhgmre.exe

Loads dropped DLL 2 IoCs

pid	Process
1944	88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2_JC.exe
2340	cdudhgmre.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cdudhgmre.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cdudhgmre.exe
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cdudhgmre.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myapp = "C:\\Users\\Admin\\AppData\\Roaming\\Myapp\\Myapp.exe"	cdudhgmre.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2340 set thread context of 2692	2340	cdudhgmre.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	cdudhgmre.exe
2692	cdudhgmre.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2340	cdudhgmre.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	cdudhgmre.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2340	1944	88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2_JC.exe	28
PID 1944 wrote to memory of 2340	1944	88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2_JC.exe	28
PID 1944 wrote to memory of 2340	1944	88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2_JC.exe	28
PID 1944 wrote to memory of 2340	1944	88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2_JC.exe	28
PID 2340 wrote to memory of 2692	2340	cdudhgmre.exe	29
PID 2340 wrote to memory of 2692	2340	cdudhgmre.exe	29
PID 2340 wrote to memory of 2692	2340	cdudhgmre.exe	29
PID 2340 wrote to memory of 2692	2340	cdudhgmre.exe	29
PID 2340 wrote to memory of 2692	2340	cdudhgmre.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cdudhgmre.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cdudhgmre.exe

C:\Users\Admin\AppData\Local\Temp\88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2_JC.exe
"C:\Users\Admin\AppData\Local\Temp\88481fc9b8b2beb564ae58c9ad551d3810a15fbb58a7dc98944167e2f8f2dfd2_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\cdudhgmre.exe
  "C:\Users\Admin\AppData\Local\Temp\cdudhgmre.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\cdudhgmre.exe
    "C:\Users\Admin\AppData\Local\Temp\cdudhgmre.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdudhgmre.exe

Filesize
176KB

MD5
e90f2ebfdc75d526692f3ca90d7effd5

SHA1
1776734bc90fd8376c549105b18ecf402d78a8f6

SHA256
77d99fd96db69bfb826c09fb65fa592597b667f9f1f6b286a7a10d884d34577a

SHA512
1782f9a7cd2c8ad7be5b1d69408567cd84389029d41e753c19376a73f6f4d7db3e43cac80edc03787f2f1e1523eedb3f8ec910cbdbdd7ece38ea3b934fc1f955

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdudhgmre.exe

Filesize
176KB

MD5
e90f2ebfdc75d526692f3ca90d7effd5

SHA1
1776734bc90fd8376c549105b18ecf402d78a8f6

SHA256
77d99fd96db69bfb826c09fb65fa592597b667f9f1f6b286a7a10d884d34577a

SHA512
1782f9a7cd2c8ad7be5b1d69408567cd84389029d41e753c19376a73f6f4d7db3e43cac80edc03787f2f1e1523eedb3f8ec910cbdbdd7ece38ea3b934fc1f955

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdudhgmre.exe

Filesize
176KB

MD5
e90f2ebfdc75d526692f3ca90d7effd5

SHA1
1776734bc90fd8376c549105b18ecf402d78a8f6

SHA256
77d99fd96db69bfb826c09fb65fa592597b667f9f1f6b286a7a10d884d34577a

SHA512
1782f9a7cd2c8ad7be5b1d69408567cd84389029d41e753c19376a73f6f4d7db3e43cac80edc03787f2f1e1523eedb3f8ec910cbdbdd7ece38ea3b934fc1f955

Download Submit
C:\Users\Admin\AppData\Local\Temp\qxgxiq.x

Filesize
548KB

MD5
edaf5206a681d23ce75bc99866e1c2be

SHA1
933c25c9edd860a25a99d9a9d282ab6dc45d39da

SHA256
bdc80b2d716fb71a6ed127dd299c316d9865d1fe553f6ccaf58720d59d1daa3f

SHA512
b7a8e2e417fc44fb82ada3baaf34ee987cb3ba3d1a10182bdef4fab71b888fab297fb77b4cb1db38495dc656711c52063686d540d79aadcddf2f1d2d59721453

Download Submit
\Users\Admin\AppData\Local\Temp\cdudhgmre.exe

Filesize
176KB

MD5
e90f2ebfdc75d526692f3ca90d7effd5

SHA1
1776734bc90fd8376c549105b18ecf402d78a8f6

SHA256
77d99fd96db69bfb826c09fb65fa592597b667f9f1f6b286a7a10d884d34577a

SHA512
1782f9a7cd2c8ad7be5b1d69408567cd84389029d41e753c19376a73f6f4d7db3e43cac80edc03787f2f1e1523eedb3f8ec910cbdbdd7ece38ea3b934fc1f955

Download Submit
\Users\Admin\AppData\Local\Temp\cdudhgmre.exe

Filesize
176KB

MD5
e90f2ebfdc75d526692f3ca90d7effd5

SHA1
1776734bc90fd8376c549105b18ecf402d78a8f6

SHA256
77d99fd96db69bfb826c09fb65fa592597b667f9f1f6b286a7a10d884d34577a

SHA512
1782f9a7cd2c8ad7be5b1d69408567cd84389029d41e753c19376a73f6f4d7db3e43cac80edc03787f2f1e1523eedb3f8ec910cbdbdd7ece38ea3b934fc1f955

Download Submit
memory/2340-6-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/2692-16-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-13-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2692-15-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2692-10-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2692-17-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

Filesize
256KB

Download
memory/2692-18-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2692-19-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-20-0x00000000043B0000-0x0000000004426000-memory.dmp

Filesize
472KB

Download
memory/2692-21-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

Filesize
256KB

Download
memory/2692-23-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

Filesize
256KB

Download
memory/2692-22-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

Filesize
256KB

Download
memory/2692-24-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

Filesize
256KB

Download
memory/2692-25-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads