agenttesla | a0a83c6bc77fa73e06bc77a6bdd2e7d3b84319cff7f009d7f6ccc7fca5c48820

Analysis

max time kernel
118s
max time network
133s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA pdf.exe
Size

730KB
MD5

5b111640fcb0a5d04cb799078fe90bad
SHA1

80870524c77d40a9711a8c120bac5f27957617ec
SHA256

a0a83c6bc77fa73e06bc77a6bdd2e7d3b84319cff7f009d7f6ccc7fca5c48820
SHA512

c21cd618ab2050a65425e9c7f50bf3c449f63f37a8ba804f934188cad2f7afb99a0e89fbbd75013f19e59852b91051b34a08e35b6b3be69263c0a56e8d76bb32
SSDEEP

12288:o4X9K94CKeimRxlZSbr2Y7BSP93oxIUhB4+XWKXWBhO:o4tMHKiRxHSv97O3RaG+XFGD

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
host2069.hostmonster.com
Port:
587
Username:
[email protected]
Password:
me!@#!@#!@#!@#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\qXYojnj = "C:\\Users\\Admin\\AppData\\Roaming\\qXYojnj\\qXYojnj.exe"	RegSvcs.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 524	2276	SOA pdf.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2276	SOA pdf.exe
2276	SOA pdf.exe
2276	SOA pdf.exe
2276	SOA pdf.exe
2276	SOA pdf.exe
524	RegSvcs.exe
524	RegSvcs.exe
2720	powershell.exe
2620	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	SOA pdf.exe
Token: SeDebugPrivilege	524	RegSvcs.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2720	2276	SOA pdf.exe	30
PID 2276 wrote to memory of 2720	2276	SOA pdf.exe	30
PID 2276 wrote to memory of 2720	2276	SOA pdf.exe	30
PID 2276 wrote to memory of 2720	2276	SOA pdf.exe	30
PID 2276 wrote to memory of 2620	2276	SOA pdf.exe	32
PID 2276 wrote to memory of 2620	2276	SOA pdf.exe	32
PID 2276 wrote to memory of 2620	2276	SOA pdf.exe	32
PID 2276 wrote to memory of 2620	2276	SOA pdf.exe	32
PID 2276 wrote to memory of 2480	2276	SOA pdf.exe	34
PID 2276 wrote to memory of 2480	2276	SOA pdf.exe	34
PID 2276 wrote to memory of 2480	2276	SOA pdf.exe	34
PID 2276 wrote to memory of 2480	2276	SOA pdf.exe	34
PID 2276 wrote to memory of 524	2276	SOA pdf.exe	36
PID 2276 wrote to memory of 524	2276	SOA pdf.exe	36
PID 2276 wrote to memory of 524	2276	SOA pdf.exe	36
PID 2276 wrote to memory of 524	2276	SOA pdf.exe	36
PID 2276 wrote to memory of 524	2276	SOA pdf.exe	36
PID 2276 wrote to memory of 524	2276	SOA pdf.exe	36
PID 2276 wrote to memory of 524	2276	SOA pdf.exe	36
PID 2276 wrote to memory of 524	2276	SOA pdf.exe	36
PID 2276 wrote to memory of 524	2276	SOA pdf.exe	36
PID 2276 wrote to memory of 524	2276	SOA pdf.exe	36
PID 2276 wrote to memory of 524	2276	SOA pdf.exe	36
PID 2276 wrote to memory of 524	2276	SOA pdf.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SOA pdf.exe
"C:\Users\Admin\AppData\Local\Temp\SOA pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BckFJZpCIyCP.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BckFJZpCIyCP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp824A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp824A.tmp

Filesize
1KB

MD5
49503d45f1b4bbd8eb0703e75e7b3e39

SHA1
0ae5bf2abd49e38e9e08c417c09a731c68ed8cb7

SHA256
f7f201dbe91ef57072331a71d90eefb3e6dc9d73453d247d6b63d041c6c1be57

SHA512
9d1e0d4cff36c12e10c3d8d3c23812228bff435abb989c060dab60d5a2e7ec7555533c34811f45c2615123bbcf302cb49904c2ccf70b83dc96d0047883ad16f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZPVIGQWXLP4HQ0PEZ76Z.temp

Filesize
7KB

MD5
fd4b3d5e498478ad231fd0ca7db6c0a1

SHA1
47015917e20a98a4139e5e6480f8678f02a11a7e

SHA256
6a93fddd5ecb3e1f0c2368e58a0320d37f010feb6a3df70adfca46e59c59484a

SHA512
0661723675d57c78651d3b9a81fd8e1c4c4dfd631949bed0c439871d50604ec4055dc410215d1e6a99caca8a3f0326ab667d1de50ac736471e32352f94133d26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fd4b3d5e498478ad231fd0ca7db6c0a1

SHA1
47015917e20a98a4139e5e6480f8678f02a11a7e

SHA256
6a93fddd5ecb3e1f0c2368e58a0320d37f010feb6a3df70adfca46e59c59484a

SHA512
0661723675d57c78651d3b9a81fd8e1c4c4dfd631949bed0c439871d50604ec4055dc410215d1e6a99caca8a3f0326ab667d1de50ac736471e32352f94133d26

Download Submit
memory/524-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/524-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-45-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/524-48-0x0000000004AC0000-0x0000000004B00000-memory.dmp

Filesize
256KB

Download
memory/524-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-36-0x0000000072CA0000-0x000000007338E000-memory.dmp

Filesize
6.9MB

Download
memory/524-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/524-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2276-1-0x0000000001290000-0x000000000134C000-memory.dmp

Filesize
752KB

Download
memory/2276-2-0x00000000050A0000-0x00000000050E0000-memory.dmp

Filesize
256KB

Download
memory/2276-4-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-3-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/2276-7-0x0000000004FF0000-0x000000000506C000-memory.dmp

Filesize
496KB

Download
memory/2276-32-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-0-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2276-6-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2276-5-0x00000000050A0000-0x00000000050E0000-memory.dmp

Filesize
256KB

Download
memory/2620-33-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2620-35-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2620-54-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2620-40-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/2620-50-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/2620-37-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/2620-42-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2620-46-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/2620-44-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2720-41-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2720-43-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2720-47-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2720-34-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2720-49-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2720-39-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2720-52-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/2720-53-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2720-38-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download