agenttesla | bc8767fc3ab5a4e2d11a9118b0d33d448dc829a15e10d88a2ad5d2727b1813e2

General

Target

PDA STATEMENT.exe
Size

517KB
MD5

99e05e1f4c3726434476aedddfbe2e3d
SHA1

da507c4274759703aa25ca68b9cb01929c129663
SHA256

031373e0c892da52577e9eb17ea541a7d874362c9845a3f36ce479c545624e5f
SHA512

833328a134028f79afae86426a61abe7ecf1a29e2da39814f3087435d80d19418ffb176b237f9befbbb7f0146f4b7510777ebe35f21052b105b65589fc971186
SSDEEP

12288:3GOA/39mIIvL16/WPRAlRHrvXKWdtaFKQ4J66:3GOA/t4jPRAlRLDnIk6

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.adityagroup.co
Port:
587
Username:
[email protected]
Password:
Aditya!@#$%^
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

PDA STATEMENT.exe

description pid process target process

PID 2596 set thread context of 2528 2596 PDA STATEMENT.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2312 schtasks.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 2596 set thread context of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe

pid	process
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

PDA STATEMENT.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2596	PDA STATEMENT.exe
2596	PDA STATEMENT.exe
2596	PDA STATEMENT.exe
2596	PDA STATEMENT.exe
2596	PDA STATEMENT.exe
2596	PDA STATEMENT.exe
2596	PDA STATEMENT.exe
2596	PDA STATEMENT.exe
2968	powershell.exe
2784	powershell.exe
2596	PDA STATEMENT.exe
2596	PDA STATEMENT.exe
2528	RegSvcs.exe
2528	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PDA STATEMENT.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2596	PDA STATEMENT.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2528	RegSvcs.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

PDA STATEMENT.exe

description	pid	process	target process
PID 2596 wrote to memory of 2784	2596	PDA STATEMENT.exe	powershell.exe
PID 2596 wrote to memory of 2784	2596	PDA STATEMENT.exe	powershell.exe
PID 2596 wrote to memory of 2784	2596	PDA STATEMENT.exe	powershell.exe
PID 2596 wrote to memory of 2784	2596	PDA STATEMENT.exe	powershell.exe
PID 2596 wrote to memory of 2968	2596	PDA STATEMENT.exe	powershell.exe
PID 2596 wrote to memory of 2968	2596	PDA STATEMENT.exe	powershell.exe
PID 2596 wrote to memory of 2968	2596	PDA STATEMENT.exe	powershell.exe
PID 2596 wrote to memory of 2968	2596	PDA STATEMENT.exe	powershell.exe
PID 2596 wrote to memory of 2312	2596	PDA STATEMENT.exe	schtasks.exe
PID 2596 wrote to memory of 2312	2596	PDA STATEMENT.exe	schtasks.exe
PID 2596 wrote to memory of 2312	2596	PDA STATEMENT.exe	schtasks.exe
PID 2596 wrote to memory of 2312	2596	PDA STATEMENT.exe	schtasks.exe
PID 2596 wrote to memory of 2512	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2512	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2512	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2512	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2512	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2512	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2512	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe
PID 2596 wrote to memory of 2528	2596	PDA STATEMENT.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\PDA STATEMENT.exe
"C:\Users\Admin\AppData\Local\Temp\PDA STATEMENT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PDA STATEMENT.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NCOjhNiQvr.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NCOjhNiQvr" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA6AB.tmp"
2⤵
- Creates scheduled task(s)
PID:2312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA6AB.tmp

Filesize
1KB

MD5
722c6e4f0519bab2a20d839f43c3adbf

SHA1
02d9e3eab4a09b97d76d2b6ec360e2d8fa552285

SHA256
5c7deb900e88daabc3121a5d378d2e0d40a93bc4a9ff50fd64e0c6cd246d6fcf

SHA512
f2b3bce30551902b7f03b4b7123b751c0aa82a34ac6103ae8f91e0dc378ea32477d7790dff09091de7c8214579c82940162a406e19a8e89a2b51b22971b019dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WXQLW1BPTJIGNLPCW719.temp

Filesize
7KB

MD5
622e09a41e14c30edce818f37060bb2f

SHA1
c6fec47dfbd7ef48c7e9851f541089e24534cac8

SHA256
5ffed66a1765846a55f60b1741ed97df1732da17c42c7a8bc127d36a4f5be9b9

SHA512
28e58b30cd2978003ede544d9bd16645ef0e49b9aed9090f228c9df7c9cee38b6bc8d65ebe9c3fafcade96e243278480c8d5b31ce818d267a262e9cc12290706

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
622e09a41e14c30edce818f37060bb2f

SHA1
c6fec47dfbd7ef48c7e9851f541089e24534cac8

SHA256
5ffed66a1765846a55f60b1741ed97df1732da17c42c7a8bc127d36a4f5be9b9

SHA512
28e58b30cd2978003ede544d9bd16645ef0e49b9aed9090f228c9df7c9cee38b6bc8d65ebe9c3fafcade96e243278480c8d5b31ce818d267a262e9cc12290706

Download Submit
memory/2528-44-0x0000000004260000-0x00000000042A0000-memory.dmp

Filesize
256KB

Download
memory/2528-43-0x00000000737F0000-0x0000000073EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2528-42-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-37-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-47-0x00000000737F0000-0x0000000073EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2528-48-0x0000000004260000-0x00000000042A0000-memory.dmp

Filesize
256KB

Download
memory/2528-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2528-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-31-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-23-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2596-39-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-3-0x0000000000920000-0x000000000092E000-memory.dmp

Filesize
56KB

Download
memory/2596-1-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-2-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/2596-4-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/2596-5-0x0000000004CA0000-0x0000000004D0A000-memory.dmp

Filesize
424KB

Download
memory/2596-6-0x0000000074AF0000-0x00000000751DE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-0-0x0000000000E40000-0x0000000000EC6000-memory.dmp

Filesize
536KB

Download
memory/2596-7-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/2784-20-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/2784-22-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/2784-26-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/2784-46-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/2784-28-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/2968-21-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/2968-30-0x0000000002650000-0x0000000002690000-memory.dmp

Filesize
256KB

Download
memory/2968-45-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/2968-24-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads