agenttesla | 063f28e3797edbae945abd6e657b5d8955affce68efa069b8ca81c41cb0e23f0

General

Target

Account Statement 4th December 2023.exe
Size

477KB
MD5

38e85567ecbe691d6319179e8e42fab2
SHA1

72f8f419447da72e61518a7ecdf433a4b05aa458
SHA256

188b48895639573a36270e0693569d98f7a673c975478927559c3eadd6d83839
SHA512

78c77591b9e381d9b3bf962693ec00f0ae94cadee813837095d4fb1e16282a93791d03a4323a52e57870632d7e09227cba1baaeee164264fb174e64a5d7c5d75
SSDEEP

12288:xkNqHWr7yJzMij4kfciX/wtf7FPEvPDvmtj9yx:xUq+IIefziB8vKjQx

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

cpngrtzp.execpngrtzp.exe

pid process

1520 cpngrtzp.exe
2812 cpngrtzp.exe
Loads dropped DLL 3 IoCs

Processes:

Account Statement 4th December 2023.execpngrtzp.exe

pid process

1116 Account Statement 4th December 2023.exe
1116 Account Statement 4th December 2023.exe
1520 cpngrtzp.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1520	cpngrtzp.exe
2812	cpngrtzp.exe

pid	process
1116	Account Statement 4th December 2023.exe
1116	Account Statement 4th December 2023.exe
1520	cpngrtzp.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

cpngrtzp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cpngrtzp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cpngrtzp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cpngrtzp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cpngrtzp.exe

description pid process target process

PID 1520 set thread context of 2812 1520 cpngrtzp.exe cpngrtzp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cpngrtzp.exe

pid process

2812 cpngrtzp.exe
2812 cpngrtzp.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cpngrtzp.exe

pid process

1520 cpngrtzp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cpngrtzp.exe

description pid process

Token: SeDebugPrivilege 2812 cpngrtzp.exe

description	pid	process	target process
PID 1520 set thread context of 2812	1520	cpngrtzp.exe	cpngrtzp.exe

pid	process
2812	cpngrtzp.exe
2812	cpngrtzp.exe

pid	process
1520	cpngrtzp.exe

description	pid	process
Token: SeDebugPrivilege	2812	cpngrtzp.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Account Statement 4th December 2023.execpngrtzp.exe

description	pid	process	target process
PID 1116 wrote to memory of 1520	1116	Account Statement 4th December 2023.exe	cpngrtzp.exe
PID 1116 wrote to memory of 1520	1116	Account Statement 4th December 2023.exe	cpngrtzp.exe
PID 1116 wrote to memory of 1520	1116	Account Statement 4th December 2023.exe	cpngrtzp.exe
PID 1116 wrote to memory of 1520	1116	Account Statement 4th December 2023.exe	cpngrtzp.exe
PID 1520 wrote to memory of 2812	1520	cpngrtzp.exe	cpngrtzp.exe
PID 1520 wrote to memory of 2812	1520	cpngrtzp.exe	cpngrtzp.exe
PID 1520 wrote to memory of 2812	1520	cpngrtzp.exe	cpngrtzp.exe
PID 1520 wrote to memory of 2812	1520	cpngrtzp.exe	cpngrtzp.exe
PID 1520 wrote to memory of 2812	1520	cpngrtzp.exe	cpngrtzp.exe

outlook_office_path 1 IoCs

Processes:

cpngrtzp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cpngrtzp.exe

outlook_win_path 1 IoCs

Processes:

cpngrtzp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cpngrtzp.exe

C:\Users\Admin\AppData\Local\Temp\Account Statement 4th December 2023.exe
"C:\Users\Admin\AppData\Local\Temp\Account Statement 4th December 2023.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe
"C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe
"C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bktgubujiw.t

Filesize
335KB

MD5
03a408bbf961a94b9448aad8fed24336

SHA1
df08dc867912e252d48d23d599e21a0c90f3d914

SHA256
3d1155039ceb52969ebb93595ee5d3e2899ef72d98619c86439edd7a91d7d248

SHA512
69d145792d23e45419e3070c73d410506aab6ebc091c1ab70320b92f10c1b2aca5795d70e8213458e990c4be3b3d50a98675b647a51e98c626c064bcb5944643

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe

Filesize
287KB

MD5
ccac95bbd8877f49efc523f125489bb1

SHA1
92ee3a54136bded5f1c17d25fdbb553caf2eb3aa

SHA256
2025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f

SHA512
bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe

Filesize
287KB

MD5
ccac95bbd8877f49efc523f125489bb1

SHA1
92ee3a54136bded5f1c17d25fdbb553caf2eb3aa

SHA256
2025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f

SHA512
bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe

Filesize
287KB

MD5
ccac95bbd8877f49efc523f125489bb1

SHA1
92ee3a54136bded5f1c17d25fdbb553caf2eb3aa

SHA256
2025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f

SHA512
bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cpngrtzp.exe

Filesize
287KB

MD5
ccac95bbd8877f49efc523f125489bb1

SHA1
92ee3a54136bded5f1c17d25fdbb553caf2eb3aa

SHA256
2025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f

SHA512
bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f

Download Submit
\Users\Admin\AppData\Local\Temp\cpngrtzp.exe

Filesize
287KB

MD5
ccac95bbd8877f49efc523f125489bb1

SHA1
92ee3a54136bded5f1c17d25fdbb553caf2eb3aa

SHA256
2025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f

SHA512
bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f

Download Submit
\Users\Admin\AppData\Local\Temp\cpngrtzp.exe

Filesize
287KB

MD5
ccac95bbd8877f49efc523f125489bb1

SHA1
92ee3a54136bded5f1c17d25fdbb553caf2eb3aa

SHA256
2025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f

SHA512
bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f

Download Submit
\Users\Admin\AppData\Local\Temp\cpngrtzp.exe

Filesize
287KB

MD5
ccac95bbd8877f49efc523f125489bb1

SHA1
92ee3a54136bded5f1c17d25fdbb553caf2eb3aa

SHA256
2025846378bd3d25c2c9d16e2132870ae30372cc8f51c330c07c36c47f6b2b6f

SHA512
bc0f73899bbb8774e3fea93803be7d0b5db2074bc5fc4c704b8d877ac4612dee42199a5d5104155f3db4847aa50b253adfa93dde062747d9b5825baf5be42a3f

Download Submit
memory/1520-10-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2812-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2812-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2812-18-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2812-20-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-19-0x0000000000960000-0x00000000009A2000-memory.dmp

Filesize
264KB

Download
memory/2812-22-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2812-21-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2812-23-0x0000000073B70000-0x000000007425E000-memory.dmp

Filesize
6.9MB

Download
memory/2812-24-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads