agenttesla | c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488

General

Target

c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe
Size

351KB
MD5

ebdf9dcf04da8f500480fd73171e6b7d
SHA1

e30c81881d0933f4a03a692345cc4c7cce6d571f
SHA256

c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488
SHA512

e714241ccefb2f854b7f21274bc7af00bf63b751fc1edf361fd810a83deacf9d98cea2e1f6836f05f6c73eebb0f62cbfcbacdd08c498dc0fc581312242856205
SSDEEP

6144:wBlL/COT4k6135ecz+IyDJy6Fc/bFQ0odCih1TTZT732b58Oqa8OYRVjogSryENs:CE461JX+IyDJysc/9odCETT5y58OFgKe

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.nmsltd.com.tr
Port:
587
Username:
[email protected]
Password:
nms190019

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

oweoyjcg.exeoweoyjcg.exe

pid process

1692 oweoyjcg.exe
2240 oweoyjcg.exe

pid	process
1692	oweoyjcg.exe
2240	oweoyjcg.exe

Loads dropped DLL 3 IoCs

Processes:

c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exeoweoyjcg.exe

pid	process
2944	c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe
2944	c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe
1692	oweoyjcg.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

oweoyjcg.exe

description pid process target process

PID 1692 set thread context of 2240 1692 oweoyjcg.exe oweoyjcg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

oweoyjcg.exe

pid process

2240 oweoyjcg.exe
2240 oweoyjcg.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

oweoyjcg.exe

pid process

1692 oweoyjcg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

oweoyjcg.exe

description pid process

Token: SeDebugPrivilege 2240 oweoyjcg.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

oweoyjcg.exe

pid process

2240 oweoyjcg.exe

description	pid	process	target process
PID 1692 set thread context of 2240	1692	oweoyjcg.exe	oweoyjcg.exe

pid	process
2240	oweoyjcg.exe
2240	oweoyjcg.exe

pid	process
1692	oweoyjcg.exe

description	pid	process
Token: SeDebugPrivilege	2240	oweoyjcg.exe

pid	process
2240	oweoyjcg.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exeoweoyjcg.exe

description	pid	process	target process
PID 2944 wrote to memory of 1692	2944	c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe	oweoyjcg.exe
PID 2944 wrote to memory of 1692	2944	c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe	oweoyjcg.exe
PID 2944 wrote to memory of 1692	2944	c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe	oweoyjcg.exe
PID 2944 wrote to memory of 1692	2944	c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe	oweoyjcg.exe
PID 1692 wrote to memory of 2240	1692	oweoyjcg.exe	oweoyjcg.exe
PID 1692 wrote to memory of 2240	1692	oweoyjcg.exe	oweoyjcg.exe
PID 1692 wrote to memory of 2240	1692	oweoyjcg.exe	oweoyjcg.exe
PID 1692 wrote to memory of 2240	1692	oweoyjcg.exe	oweoyjcg.exe
PID 1692 wrote to memory of 2240	1692	oweoyjcg.exe	oweoyjcg.exe

C:\Users\Admin\AppData\Local\Temp\c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe
"C:\Users\Admin\AppData\Local\Temp\c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Local\Temp\oweoyjcg.exe
"C:\Users\Admin\AppData\Local\Temp\oweoyjcg.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\oweoyjcg.exe
"C:\Users\Admin\AppData\Local\Temp\oweoyjcg.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iwyapbleyxb.w

Filesize
339KB

MD5
a28c928f1a34038cccf03fcecba4c758

SHA1
cc6b0abe6bb26323ea48c68829446dfc91a6e340

SHA256
587562c17c3a27d9f722893b9c73ec7e2dbbb015c3618ee2cdf45414663c83c3

SHA512
c3268557e55068eaafaa7301afcb199af74f67d04b7cd512cb52daf04b2154efc950e5ec92f58993de2c417f390776c81ae2993d03e5c24f312fa2ade3664e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\oweoyjcg.exe

Filesize
165KB

MD5
436e291267ad544e575b6eb53e4336e1

SHA1
cb8acd02eda4a509c050d388c7e3ca323d5ae253

SHA256
c64f01d9a0430d0c42a41931e16d383fd8d84bc2ebb8aa07e600ae6cd7ee37cb

SHA512
3c52151057ebea8e67201cd2f01dd7e121b004eb7032e551154c1e753b561c51cd30c5b86f51a05fa0cf66acc5e2fcbb381809c6138fa6a70cf292b266bdb6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\oweoyjcg.exe

Filesize
165KB

MD5
436e291267ad544e575b6eb53e4336e1

SHA1
cb8acd02eda4a509c050d388c7e3ca323d5ae253

SHA256
c64f01d9a0430d0c42a41931e16d383fd8d84bc2ebb8aa07e600ae6cd7ee37cb

SHA512
3c52151057ebea8e67201cd2f01dd7e121b004eb7032e551154c1e753b561c51cd30c5b86f51a05fa0cf66acc5e2fcbb381809c6138fa6a70cf292b266bdb6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\oweoyjcg.exe

Filesize
165KB

MD5
436e291267ad544e575b6eb53e4336e1

SHA1
cb8acd02eda4a509c050d388c7e3ca323d5ae253

SHA256
c64f01d9a0430d0c42a41931e16d383fd8d84bc2ebb8aa07e600ae6cd7ee37cb

SHA512
3c52151057ebea8e67201cd2f01dd7e121b004eb7032e551154c1e753b561c51cd30c5b86f51a05fa0cf66acc5e2fcbb381809c6138fa6a70cf292b266bdb6da

Download Submit
C:\Users\Admin\AppData\Local\Temp\oweoyjcg.exe

Filesize
165KB

MD5
436e291267ad544e575b6eb53e4336e1

SHA1
cb8acd02eda4a509c050d388c7e3ca323d5ae253

SHA256
c64f01d9a0430d0c42a41931e16d383fd8d84bc2ebb8aa07e600ae6cd7ee37cb

SHA512
3c52151057ebea8e67201cd2f01dd7e121b004eb7032e551154c1e753b561c51cd30c5b86f51a05fa0cf66acc5e2fcbb381809c6138fa6a70cf292b266bdb6da

Download Submit
\Users\Admin\AppData\Local\Temp\oweoyjcg.exe

Filesize
165KB

MD5
436e291267ad544e575b6eb53e4336e1

SHA1
cb8acd02eda4a509c050d388c7e3ca323d5ae253

SHA256
c64f01d9a0430d0c42a41931e16d383fd8d84bc2ebb8aa07e600ae6cd7ee37cb

SHA512
3c52151057ebea8e67201cd2f01dd7e121b004eb7032e551154c1e753b561c51cd30c5b86f51a05fa0cf66acc5e2fcbb381809c6138fa6a70cf292b266bdb6da

Download Submit
\Users\Admin\AppData\Local\Temp\oweoyjcg.exe

Filesize
165KB

MD5
436e291267ad544e575b6eb53e4336e1

SHA1
cb8acd02eda4a509c050d388c7e3ca323d5ae253

SHA256
c64f01d9a0430d0c42a41931e16d383fd8d84bc2ebb8aa07e600ae6cd7ee37cb

SHA512
3c52151057ebea8e67201cd2f01dd7e121b004eb7032e551154c1e753b561c51cd30c5b86f51a05fa0cf66acc5e2fcbb381809c6138fa6a70cf292b266bdb6da

Download Submit
\Users\Admin\AppData\Local\Temp\oweoyjcg.exe

Filesize
165KB

MD5
436e291267ad544e575b6eb53e4336e1

SHA1
cb8acd02eda4a509c050d388c7e3ca323d5ae253

SHA256
c64f01d9a0430d0c42a41931e16d383fd8d84bc2ebb8aa07e600ae6cd7ee37cb

SHA512
3c52151057ebea8e67201cd2f01dd7e121b004eb7032e551154c1e753b561c51cd30c5b86f51a05fa0cf66acc5e2fcbb381809c6138fa6a70cf292b266bdb6da

Download Submit
memory/1692-9-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2240-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2240-16-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2240-17-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2240-18-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2240-19-0x0000000073C80000-0x000000007436E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-20-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/2240-21-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/2240-22-0x0000000073C80000-0x000000007436E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing