agenttesla | fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b

General

Target

fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe
Size

545KB
MD5

bea32ab4dc9d62c210300c9dbc587cf5
SHA1

0d5d35b6a241917f80430015f97a6e7bcb419943
SHA256

fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b
SHA512

7bc4f0b489e1bb9c50515a13a7909e7d5b0e1a45f6a8c706ac3f99296d0b4e48636964b14c7f7075ef81a6e261c6bd634ff9cf848699ffb4f7c2fd118320fc3f
SSDEEP

12288:6Ub+UwSvMMMDMMMWCUB1ysqCVTSK2k1m94SmCVN:lvMMMDMMMWCo1xlSK2kQ+6

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.kbakr.com
Port:
587
Username:
kdaad@kbakr.com
Password:
blessings@@@
Email To:
lsp@kbakr.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
4	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2984	RegSvcs.exe
2984	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe
Token: SeDebugPrivilege	2984	RegSvcs.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28
PID 2952 wrote to memory of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28
PID 2952 wrote to memory of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28
PID 2952 wrote to memory of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28
PID 2952 wrote to memory of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28
PID 2952 wrote to memory of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28
PID 2952 wrote to memory of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28
PID 2952 wrote to memory of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28
PID 2952 wrote to memory of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28
PID 2952 wrote to memory of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28
PID 2952 wrote to memory of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28
PID 2952 wrote to memory of 2984	2952	fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe	28

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe
"C:\Users\Admin\AppData\Local\Temp\fb3985dc3b2b92209641e36dbb7113092028845d2939ecb0dbaf8d9a64c1c54b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2984

Network

DNS

api.ipify.org

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A

Response

api.ipify.org

IN CNAME

api4.ipify.org

api4.ipify.org

IN A

64.185.227.156

api4.ipify.org

IN A

173.231.16.77

api4.ipify.org

IN A

104.237.62.212

64.185.227.156:443

api.ipify.org

tls

RegSvcs.exe

385 B
211 B
5
5

8.8.8.8:53

api.ipify.org

dns

RegSvcs.exe

59 B
126 B
1
1

DNS Request

api.ipify.org

DNS Response

64.185.227.156

173.231.16.77

104.237.62.212

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2952-0-0x0000000000C30000-0x0000000000CBE000-memory.dmp

Filesize
568KB

Download
memory/2952-1-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-2-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/2952-3-0x000000007EF40000-0x000000007EF50000-memory.dmp

Filesize
64KB

Download
memory/2952-4-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2952-5-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-6-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/2952-7-0x0000000005100000-0x0000000005180000-memory.dmp

Filesize
512KB

Download
memory/2952-8-0x0000000000BE0000-0x0000000000C22000-memory.dmp

Filesize
264KB

Download
memory/2952-22-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2984-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-20-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2984-21-0x00000000004D0000-0x0000000000510000-memory.dmp

Filesize
256KB

Download
memory/2984-23-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-24-0x00000000004D0000-0x0000000000510000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.