agenttesla | 6d94587cde5cdb5f21283032c6e40a030c67fa556016584f8f075918c4ea4bc3

General

Target

Payment Copy Pdf.exe
Size

420KB
MD5

79111a86d3b49cfd6064e27f5f2e6d83
SHA1

f61bc3418e9ca92b02f21c66af2ff94bede59f7e
SHA256

b9381cede9bdb49cd74a7ee1d5fa91a3b04bb99f4d3c8be2239f5bc268df8cfe
SHA512

17e04bd8663fbf88c3ae7125ff9bdca8f2ac649bf512fa0c2f0352ba57cfd3a794c58288c3977d2c1611ae97eb34ad1046a78211d1babebb911198caac475a0b
SSDEEP

6144:T8LxB4D06oRE8vLVI3FPs+DoRRf+Dv4QR/VOxahjMc8Gh/DGIIrlqnh+NG1kXdfu:HJZG+3FPfCRf+JsM1MWh/DFulHPfE9V

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
2332	mspohdk.exe
2692	mspohdk.exe

Loads dropped DLL 3 IoCs

pid	Process
2436	Payment Copy Pdf.exe
2436	Payment Copy Pdf.exe
2332	mspohdk.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\FdnCz = "C:\\Users\\Admin\\AppData\\Roaming\\FdnCz\\FdnCz.exe"	mspohdk.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 2692	2332	mspohdk.exe	24

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	mspohdk.exe
2692	mspohdk.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2332	mspohdk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	mspohdk.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	mspohdk.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2332	2436	Payment Copy Pdf.exe	18
PID 2436 wrote to memory of 2332	2436	Payment Copy Pdf.exe	18
PID 2436 wrote to memory of 2332	2436	Payment Copy Pdf.exe	18
PID 2436 wrote to memory of 2332	2436	Payment Copy Pdf.exe	18
PID 2332 wrote to memory of 2692	2332	mspohdk.exe	24
PID 2332 wrote to memory of 2692	2332	mspohdk.exe	24
PID 2332 wrote to memory of 2692	2332	mspohdk.exe	24
PID 2332 wrote to memory of 2692	2332	mspohdk.exe	24
PID 2332 wrote to memory of 2692	2332	mspohdk.exe	24

C:\Users\Admin\AppData\Local\Temp\Payment Copy Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Copy Pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\mspohdk.exe
  "C:\Users\Admin\AppData\Local\Temp\mspohdk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\mspohdk.exe
    "C:\Users\Admin\AppData\Local\Temp\mspohdk.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chfcjghy.dmk

Filesize
334KB

MD5
331a88ac8928b2fa36e199191bbfde5d

SHA1
2785d97e4f46bdde511843bd52143e8dddda9738

SHA256
903cb0a45409c7ccf5137f09dae81864681e850ee2cb95a20179ce5cae839d5b

SHA512
2419730c93471a81532180b63b416f0972169863f7bbda6e6889609a7ecec2d464f279539a379ac1e49294a4763b2c608c2ce28094e9b214311c3ef34f28cbc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mspohdk.exe

Filesize
165KB

MD5
9ccc32a41e68c14e82795e6c8563799f

SHA1
35386cb1b6903372f1fa17acd4db798037b40fa6

SHA256
c3efb9a8c063098c0f9a094eebe76f397a8dc74688bd34989814a3897fac5a77

SHA512
b293cd93b750fc385c4ddafb3b023fc7e9636a644cc4d7c9a57de5018f98a30464d1f38f3ffd9a8eb003b5f3f390025391d70269b2638ac1afa1d8992182ca08

Download Submit
C:\Users\Admin\AppData\Local\Temp\mspohdk.exe

Filesize
165KB

MD5
9ccc32a41e68c14e82795e6c8563799f

SHA1
35386cb1b6903372f1fa17acd4db798037b40fa6

SHA256
c3efb9a8c063098c0f9a094eebe76f397a8dc74688bd34989814a3897fac5a77

SHA512
b293cd93b750fc385c4ddafb3b023fc7e9636a644cc4d7c9a57de5018f98a30464d1f38f3ffd9a8eb003b5f3f390025391d70269b2638ac1afa1d8992182ca08

Download Submit
C:\Users\Admin\AppData\Local\Temp\mspohdk.exe

Filesize
165KB

MD5
9ccc32a41e68c14e82795e6c8563799f

SHA1
35386cb1b6903372f1fa17acd4db798037b40fa6

SHA256
c3efb9a8c063098c0f9a094eebe76f397a8dc74688bd34989814a3897fac5a77

SHA512
b293cd93b750fc385c4ddafb3b023fc7e9636a644cc4d7c9a57de5018f98a30464d1f38f3ffd9a8eb003b5f3f390025391d70269b2638ac1afa1d8992182ca08

Download Submit
C:\Users\Admin\AppData\Local\Temp\mspohdk.exe

Filesize
165KB

MD5
9ccc32a41e68c14e82795e6c8563799f

SHA1
35386cb1b6903372f1fa17acd4db798037b40fa6

SHA256
c3efb9a8c063098c0f9a094eebe76f397a8dc74688bd34989814a3897fac5a77

SHA512
b293cd93b750fc385c4ddafb3b023fc7e9636a644cc4d7c9a57de5018f98a30464d1f38f3ffd9a8eb003b5f3f390025391d70269b2638ac1afa1d8992182ca08

Download Submit
\Users\Admin\AppData\Local\Temp\mspohdk.exe

Filesize
165KB

MD5
9ccc32a41e68c14e82795e6c8563799f

SHA1
35386cb1b6903372f1fa17acd4db798037b40fa6

SHA256
c3efb9a8c063098c0f9a094eebe76f397a8dc74688bd34989814a3897fac5a77

SHA512
b293cd93b750fc385c4ddafb3b023fc7e9636a644cc4d7c9a57de5018f98a30464d1f38f3ffd9a8eb003b5f3f390025391d70269b2638ac1afa1d8992182ca08

Download Submit
\Users\Admin\AppData\Local\Temp\mspohdk.exe

Filesize
165KB

MD5
9ccc32a41e68c14e82795e6c8563799f

SHA1
35386cb1b6903372f1fa17acd4db798037b40fa6

SHA256
c3efb9a8c063098c0f9a094eebe76f397a8dc74688bd34989814a3897fac5a77

SHA512
b293cd93b750fc385c4ddafb3b023fc7e9636a644cc4d7c9a57de5018f98a30464d1f38f3ffd9a8eb003b5f3f390025391d70269b2638ac1afa1d8992182ca08

Download Submit
\Users\Admin\AppData\Local\Temp\mspohdk.exe

Filesize
165KB

MD5
9ccc32a41e68c14e82795e6c8563799f

SHA1
35386cb1b6903372f1fa17acd4db798037b40fa6

SHA256
c3efb9a8c063098c0f9a094eebe76f397a8dc74688bd34989814a3897fac5a77

SHA512
b293cd93b750fc385c4ddafb3b023fc7e9636a644cc4d7c9a57de5018f98a30464d1f38f3ffd9a8eb003b5f3f390025391d70269b2638ac1afa1d8992182ca08

Download Submit
memory/2332-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2332-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2692-18-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2692-17-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2692-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2692-21-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download
memory/2692-22-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download
memory/2692-20-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-19-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2692-23-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2692-24-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-25-0x0000000004670000-0x00000000046B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads