agenttesla | a212cb057ef247f50d13b60031f5ef2527f1d86c79628a7d3d8bc328cbe1ccf6

General

Target

SecuriteInfo.com.Trojan.Inject4.59820.14009.exe
Size

565KB
MD5

e45e292ee1302005225b8ee245018cc8
SHA1

5dd2b9ee3d84b40e7d4aecc5cc068367729e88ea
SHA256

a212cb057ef247f50d13b60031f5ef2527f1d86c79628a7d3d8bc328cbe1ccf6
SHA512

a3d6cc6975682344ba35345a19df338ef753055ab3be22f6687c7a090846d980af98dcee76741134ddb82e09b2c48df9d11d1e66bfee6e10d710c146e679621b
SSDEEP

12288:h2AQaueH5q8IDUKiAhTM1cJ3lfi5EIKqi+6u4UXrcbyyEAo:h2EqxDXhTM+xlLIpiM4UQ9E

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.adityagroup.co
Port:
587
Username:
[email protected]
Password:
Aditya!@#$%^
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Inject4.59820.14009.exe

description pid process target process

PID 2964 set thread context of 2932 2964 SecuriteInfo.com.Trojan.Inject4.59820.14009.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2652 schtasks.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 2964 set thread context of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe

pid	process
2652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

SecuriteInfo.com.Trojan.Inject4.59820.14009.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe
2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe
2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe
2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe
2856	powershell.exe
2860	powershell.exe
2932	RegSvcs.exe
2932	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Trojan.Inject4.59820.14009.exeRegSvcs.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe
Token: SeDebugPrivilege	2932	RegSvcs.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SecuriteInfo.com.Trojan.Inject4.59820.14009.exe

description	pid	process	target process
PID 2964 wrote to memory of 2860	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	powershell.exe
PID 2964 wrote to memory of 2860	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	powershell.exe
PID 2964 wrote to memory of 2860	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	powershell.exe
PID 2964 wrote to memory of 2860	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	powershell.exe
PID 2964 wrote to memory of 2856	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	powershell.exe
PID 2964 wrote to memory of 2856	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	powershell.exe
PID 2964 wrote to memory of 2856	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	powershell.exe
PID 2964 wrote to memory of 2856	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	powershell.exe
PID 2964 wrote to memory of 2652	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	schtasks.exe
PID 2964 wrote to memory of 2652	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	schtasks.exe
PID 2964 wrote to memory of 2652	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	schtasks.exe
PID 2964 wrote to memory of 2652	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	schtasks.exe
PID 2964 wrote to memory of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe
PID 2964 wrote to memory of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe
PID 2964 wrote to memory of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe
PID 2964 wrote to memory of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe
PID 2964 wrote to memory of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe
PID 2964 wrote to memory of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe
PID 2964 wrote to memory of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe
PID 2964 wrote to memory of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe
PID 2964 wrote to memory of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe
PID 2964 wrote to memory of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe
PID 2964 wrote to memory of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe
PID 2964 wrote to memory of 2932	2964	SecuriteInfo.com.Trojan.Inject4.59820.14009.exe	RegSvcs.exe

outlook_office_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.59820.14009.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.59820.14009.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Inject4.59820.14009.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UZZTTFhFFwXETf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UZZTTFhFFwXETf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE531.tmp"
2⤵
- Creates scheduled task(s)
PID:2652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE531.tmp

Filesize
1KB

MD5
e23d6698051f0610a187ecf3142037cd

SHA1
41335e115a2920dabed8b2e9f6884e82fe302c4b

SHA256
35dd6b5e14672be682213d26a0b1bd2df013413eb3a8a7e705d3c196a4ae014c

SHA512
df3dae76878f1034762ded142e841a93ace049bf1fc86528bc896c0f28ebc2c4bddab020857627ab9721cd4d89f6b262a4cdfe6f908edc1a69e1ab427a36ce8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M49WRREB5S3JXZV10VBU.temp

Filesize
7KB

MD5
648d9f63c977d5c027a2331edf0a46f1

SHA1
63d15626025cb9b531a6b31834056256e9ca2c7c

SHA256
fedb5ed0618b5324a45827226f0de3605f93c55848135ed482a9f30407da2d6a

SHA512
2f9dff21721ace01e283f653f34382adaa077984c172386f81cabcd7ddfbd98e898f5a12abde0ddc77b3ccefbd6bbab8deea831fbc7c21e2efecacf501ce983a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
648d9f63c977d5c027a2331edf0a46f1

SHA1
63d15626025cb9b531a6b31834056256e9ca2c7c

SHA256
fedb5ed0618b5324a45827226f0de3605f93c55848135ed482a9f30407da2d6a

SHA512
2f9dff21721ace01e283f653f34382adaa077984c172386f81cabcd7ddfbd98e898f5a12abde0ddc77b3ccefbd6bbab8deea831fbc7c21e2efecacf501ce983a

Download Submit
memory/2856-44-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2856-43-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download
memory/2856-41-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download
memory/2856-23-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download
memory/2856-22-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-21-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-45-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2860-42-0x0000000002410000-0x0000000002450000-memory.dmp

Filesize
256KB

Download
memory/2860-24-0x000000006E560000-0x000000006EB0B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2932-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2932-47-0x00000000011F0000-0x0000000001230000-memory.dmp

Filesize
256KB

Download
memory/2932-46-0x0000000074A90000-0x000000007517E000-memory.dmp

Filesize
6.9MB

Download
memory/2932-40-0x00000000011F0000-0x0000000001230000-memory.dmp

Filesize
256KB

Download
memory/2932-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2932-30-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2932-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2932-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2932-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2932-35-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2932-39-0x0000000074A90000-0x000000007517E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-37-0x0000000074A90000-0x000000007517E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-20-0x00000000005F0000-0x0000000000630000-memory.dmp

Filesize
256KB

Download
memory/2964-0-0x0000000000A40000-0x0000000000AD2000-memory.dmp

Filesize
584KB

Download
memory/2964-5-0x0000000000560000-0x000000000056A000-memory.dmp

Filesize
40KB

Download
memory/2964-4-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2964-3-0x0000000000430000-0x000000000044A000-memory.dmp

Filesize
104KB

Download
memory/2964-2-0x00000000005F0000-0x0000000000630000-memory.dmp

Filesize
256KB

Download
memory/2964-1-0x0000000074A90000-0x000000007517E000-memory.dmp

Filesize
6.9MB

Download
memory/2964-6-0x0000000005260000-0x00000000052CA000-memory.dmp

Filesize
424KB

Download
memory/2964-7-0x0000000074A90000-0x000000007517E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads