agenttesla | 3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c

General

Target

3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c_JC.exe
Size

247KB
MD5

4eee9f3de8f15c0de7109bec3d035b2d
SHA1

9b0a0f5a76b44c2e81da789c67fe1bbd49aac478
SHA256

3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c
SHA512

0c334e00ff346c3a1a7be3dcd20a33f770e59020096edea3e05fb8a987e898a1c9fbe1def0af47aed7c8e37d37611cfba429113f5924d52954caaa6cccdb125f
SSDEEP

1536:upDcMlGXCDQ/W/zEuB+Kmx/IApkpbbASB90VzSNq6ML3EOim1hC6q0ioWfHV7x7h:uRnlGSDms4uoK+rCiapxMG/Fd10fSFz

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.apantextile.com
Port:
587
Username:
[email protected]
Password:
Latifshamima

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.apantextile.com
Port:
587
Username:
[email protected]
Password:
Latifshamima
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c_JC.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c_JC.exe
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c_JC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DFkXsB = "C:\\Users\\Admin\\AppData\\Roaming\\DFkXsB\\DFkXsB.exe"	3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c_JC.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	api.ipify.org
52	api.ipify.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2560	3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c_JC.exe
2560	3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c_JC.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c_JC.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c_JC.exe

C:\Users\Admin\AppData\Local\Temp\3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3dbc68ad8ed61358bd1d7d2c59d72a42b23f793e7fe1535cabdfee4c88ba8f4c_JC.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2560-0-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/2560-1-0x00000000008A0000-0x00000000008E4000-memory.dmp

Filesize
272KB

Download
memory/2560-2-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/2560-3-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/2560-4-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2560-5-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/2560-6-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/2560-8-0x0000000006AB0000-0x0000000006B00000-memory.dmp

Filesize
320KB

Download
memory/2560-9-0x0000000006BA0000-0x0000000006C3C000-memory.dmp

Filesize
624KB

Download
memory/2560-10-0x0000000006E20000-0x0000000006EB2000-memory.dmp

Filesize
584KB

Download
memory/2560-11-0x0000000006DC0000-0x0000000006DCA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads