agenttesla | d49cff946605d03af069b896354b114d8a4b87313c1aa7fcac9fbf71bb39f8c1

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
23/10/2023, 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT COPY.pdf.exe
Size

1021KB
MD5

28707370a3fb75269da8a9da30960505
SHA1

9c900e8ca6595599e922bce6f3255f29063d6212
SHA256

d49cff946605d03af069b896354b114d8a4b87313c1aa7fcac9fbf71bb39f8c1
SHA512

1ceb51a47825143cce7c0826e3d378b639621972996d6b0f7af772837852a0c00fc6f671f9c8642e2372e6b8118e43596f654073134681ca3958fba62be7f44f
SSDEEP

12288:uF0rdOBhhxlh/VJ1euMQd+S8Q/ZNt4/NpUH:00QdxTVJEuMPSDxNt+

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.expertsconsultgh.co
Port:
587
Username:
[email protected]
Password:
Oppong.2012
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2552 set thread context of 580	2552	PAYMENT COPY.pdf.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2552	PAYMENT COPY.pdf.exe
2552	PAYMENT COPY.pdf.exe
2552	PAYMENT COPY.pdf.exe
2552	PAYMENT COPY.pdf.exe
2552	PAYMENT COPY.pdf.exe
2552	PAYMENT COPY.pdf.exe
2552	PAYMENT COPY.pdf.exe
2552	PAYMENT COPY.pdf.exe
2816	powershell.exe
2872	powershell.exe
2552	PAYMENT COPY.pdf.exe
580	RegSvcs.exe
580	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	PAYMENT COPY.pdf.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	580	RegSvcs.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2872	2552	PAYMENT COPY.pdf.exe	30
PID 2552 wrote to memory of 2872	2552	PAYMENT COPY.pdf.exe	30
PID 2552 wrote to memory of 2872	2552	PAYMENT COPY.pdf.exe	30
PID 2552 wrote to memory of 2872	2552	PAYMENT COPY.pdf.exe	30
PID 2552 wrote to memory of 2816	2552	PAYMENT COPY.pdf.exe	32
PID 2552 wrote to memory of 2816	2552	PAYMENT COPY.pdf.exe	32
PID 2552 wrote to memory of 2816	2552	PAYMENT COPY.pdf.exe	32
PID 2552 wrote to memory of 2816	2552	PAYMENT COPY.pdf.exe	32
PID 2552 wrote to memory of 2608	2552	PAYMENT COPY.pdf.exe	33
PID 2552 wrote to memory of 2608	2552	PAYMENT COPY.pdf.exe	33
PID 2552 wrote to memory of 2608	2552	PAYMENT COPY.pdf.exe	33
PID 2552 wrote to memory of 2608	2552	PAYMENT COPY.pdf.exe	33
PID 2552 wrote to memory of 2656	2552	PAYMENT COPY.pdf.exe	36
PID 2552 wrote to memory of 2656	2552	PAYMENT COPY.pdf.exe	36
PID 2552 wrote to memory of 2656	2552	PAYMENT COPY.pdf.exe	36
PID 2552 wrote to memory of 2656	2552	PAYMENT COPY.pdf.exe	36
PID 2552 wrote to memory of 2656	2552	PAYMENT COPY.pdf.exe	36
PID 2552 wrote to memory of 2656	2552	PAYMENT COPY.pdf.exe	36
PID 2552 wrote to memory of 2656	2552	PAYMENT COPY.pdf.exe	36
PID 2552 wrote to memory of 2448	2552	PAYMENT COPY.pdf.exe	37
PID 2552 wrote to memory of 2448	2552	PAYMENT COPY.pdf.exe	37
PID 2552 wrote to memory of 2448	2552	PAYMENT COPY.pdf.exe	37
PID 2552 wrote to memory of 2448	2552	PAYMENT COPY.pdf.exe	37
PID 2552 wrote to memory of 2448	2552	PAYMENT COPY.pdf.exe	37
PID 2552 wrote to memory of 2448	2552	PAYMENT COPY.pdf.exe	37
PID 2552 wrote to memory of 2448	2552	PAYMENT COPY.pdf.exe	37
PID 2552 wrote to memory of 3056	2552	PAYMENT COPY.pdf.exe	39
PID 2552 wrote to memory of 3056	2552	PAYMENT COPY.pdf.exe	39
PID 2552 wrote to memory of 3056	2552	PAYMENT COPY.pdf.exe	39
PID 2552 wrote to memory of 3056	2552	PAYMENT COPY.pdf.exe	39
PID 2552 wrote to memory of 3056	2552	PAYMENT COPY.pdf.exe	39
PID 2552 wrote to memory of 3056	2552	PAYMENT COPY.pdf.exe	39
PID 2552 wrote to memory of 3056	2552	PAYMENT COPY.pdf.exe	39
PID 2552 wrote to memory of 580	2552	PAYMENT COPY.pdf.exe	38
PID 2552 wrote to memory of 580	2552	PAYMENT COPY.pdf.exe	38
PID 2552 wrote to memory of 580	2552	PAYMENT COPY.pdf.exe	38
PID 2552 wrote to memory of 580	2552	PAYMENT COPY.pdf.exe	38
PID 2552 wrote to memory of 580	2552	PAYMENT COPY.pdf.exe	38
PID 2552 wrote to memory of 580	2552	PAYMENT COPY.pdf.exe	38
PID 2552 wrote to memory of 580	2552	PAYMENT COPY.pdf.exe	38
PID 2552 wrote to memory of 580	2552	PAYMENT COPY.pdf.exe	38
PID 2552 wrote to memory of 580	2552	PAYMENT COPY.pdf.exe	38
PID 2552 wrote to memory of 580	2552	PAYMENT COPY.pdf.exe	38
PID 2552 wrote to memory of 580	2552	PAYMENT COPY.pdf.exe	38
PID 2552 wrote to memory of 580	2552	PAYMENT COPY.pdf.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3837739534-3148647840-3445085216-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PAYMENT COPY.pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oVRCbYZ.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oVRCbYZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp384F.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp384F.tmp

Filesize
1KB

MD5
25ac16059e6fc048f51f44466e221d54

SHA1
083f0a4b1383807959d620d73f243e85a04e1cfa

SHA256
9476593cfe78f81f9931455d1f3590f2262e275932af75fd6c0ede4b20417083

SHA512
ed9f21b7aca352c241e30c5fe7a69858d18ff4dbc2a3e23cd3368683965875f6c7679b3057e5bbefde06060c0b3d05018250c8d5f469f63fb26ffd65931532d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0NF3K6AA2AWT3K2VUCXO.temp

Filesize
7KB

MD5
8c292f882fde699d15f060081372b90f

SHA1
02a0510744b4f293f5700c98df10e4acd4e3b26e

SHA256
0cf020c5149c7fafc8d485717be9ffe962186a855cbc6d0ae46fa14112ddc5e1

SHA512
3daa1ea52f802f34891d0eb78d1d9105a16a2168a49b00e10e05183edce09bc8d90fd849024889baf045b2f604436721392eeb9ff8916560f0d106b9f6a08e5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8c292f882fde699d15f060081372b90f

SHA1
02a0510744b4f293f5700c98df10e4acd4e3b26e

SHA256
0cf020c5149c7fafc8d485717be9ffe962186a855cbc6d0ae46fa14112ddc5e1

SHA512
3daa1ea52f802f34891d0eb78d1d9105a16a2168a49b00e10e05183edce09bc8d90fd849024889baf045b2f604436721392eeb9ff8916560f0d106b9f6a08e5c

Download Submit
memory/580-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/580-45-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/580-39-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/580-37-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/580-44-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/580-31-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/580-34-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/580-41-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/580-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/580-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/580-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2552-1-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-7-0x0000000005C50000-0x0000000005CBA000-memory.dmp

Filesize
424KB

Download
memory/2552-5-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/2552-4-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-40-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2552-6-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2552-2-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/2552-0-0x0000000000C50000-0x0000000000D56000-memory.dmp

Filesize
1.0MB

Download
memory/2552-3-0x00000000006C0000-0x00000000006DC000-memory.dmp

Filesize
112KB

Download
memory/2816-22-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download
memory/2816-26-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download
memory/2816-43-0x000000006E360000-0x000000006E90B000-memory.dmp

Filesize
5.7MB

Download
memory/2816-21-0x000000006E360000-0x000000006E90B000-memory.dmp

Filesize
5.7MB

Download
memory/2816-24-0x000000006E360000-0x000000006E90B000-memory.dmp

Filesize
5.7MB

Download
memory/2816-28-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download
memory/2872-20-0x000000006E360000-0x000000006E90B000-memory.dmp

Filesize
5.7MB

Download
memory/2872-35-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/2872-42-0x000000006E360000-0x000000006E90B000-memory.dmp

Filesize
5.7MB

Download
memory/2872-30-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/2872-23-0x000000006E360000-0x000000006E90B000-memory.dmp

Filesize
5.7MB

Download