agenttesla | b91ff3fcdb95cf732566c51507243bfe707a1893e8357a95331aa3e6befd232c

General

Target

b91ff3fcdb95cf732566c51507243bfe707a1893e8357a95331aa3e6befd232c.exe
Size

364KB
MD5

cbaf034210e7e93ce0a2f42d7384aefc
SHA1

cbe042d579c11bd24765a20476f0a689e9bd76d5
SHA256

b91ff3fcdb95cf732566c51507243bfe707a1893e8357a95331aa3e6befd232c
SHA512

a39e06e2c712e0f7bc75b26c0cffa218ff1c67e79a737b1f448562220f2ac55a4a0c40dac6e5e5c459a4bcba7cdf0a9993e489cc9cbbabd3e994c329726a9783
SSDEEP

6144:P8LxB0mbEhb1HJPXVviHiyZUIWcgTaWbSjM0sksdyu8oUVuyQe+3vuG5XvnZuFuH:xT1pvVvi5efcKaWmM0sUVOhx4uxp

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
2820	aqiozfb.exe
2688	aqiozfb.exe

Loads dropped DLL 2 IoCs

pid	Process
2944	b91ff3fcdb95cf732566c51507243bfe707a1893e8357a95331aa3e6befd232c.exe
2820	aqiozfb.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aqiozfb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aqiozfb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aqiozfb.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2820 set thread context of 2688	2820	aqiozfb.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2820	aqiozfb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	aqiozfb.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2820	2944	b91ff3fcdb95cf732566c51507243bfe707a1893e8357a95331aa3e6befd232c.exe	28
PID 2944 wrote to memory of 2820	2944	b91ff3fcdb95cf732566c51507243bfe707a1893e8357a95331aa3e6befd232c.exe	28
PID 2944 wrote to memory of 2820	2944	b91ff3fcdb95cf732566c51507243bfe707a1893e8357a95331aa3e6befd232c.exe	28
PID 2944 wrote to memory of 2820	2944	b91ff3fcdb95cf732566c51507243bfe707a1893e8357a95331aa3e6befd232c.exe	28
PID 2820 wrote to memory of 2688	2820	aqiozfb.exe	29
PID 2820 wrote to memory of 2688	2820	aqiozfb.exe	29
PID 2820 wrote to memory of 2688	2820	aqiozfb.exe	29
PID 2820 wrote to memory of 2688	2820	aqiozfb.exe	29
PID 2820 wrote to memory of 2688	2820	aqiozfb.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aqiozfb.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aqiozfb.exe

C:\Users\Admin\AppData\Local\Temp\b91ff3fcdb95cf732566c51507243bfe707a1893e8357a95331aa3e6befd232c.exe
"C:\Users\Admin\AppData\Local\Temp\b91ff3fcdb95cf732566c51507243bfe707a1893e8357a95331aa3e6befd232c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\aqiozfb.exe
  "C:\Users\Admin\AppData\Local\Temp\aqiozfb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\aqiozfb.exe
    "C:\Users\Admin\AppData\Local\Temp\aqiozfb.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aqiozfb.exe

Filesize
174KB

MD5
1f052fb7e9b0d4e143c5ae13d80bcc4d

SHA1
fa7f2295b81bd9e538720e3fdf032a0c6512d514

SHA256
86765be6110528a9eea59bcb9878abea8b0f28db13d89b2bf75239db017742ca

SHA512
66ae069c07dfe4b18c0b62db2a2e7ec470c2e375cade8c9952d3eec128f893a41815f1d3f00141dae9414955285a744d6bedabb4f966623ab0c23dbea05ba8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqiozfb.exe

Filesize
174KB

MD5
1f052fb7e9b0d4e143c5ae13d80bcc4d

SHA1
fa7f2295b81bd9e538720e3fdf032a0c6512d514

SHA256
86765be6110528a9eea59bcb9878abea8b0f28db13d89b2bf75239db017742ca

SHA512
66ae069c07dfe4b18c0b62db2a2e7ec470c2e375cade8c9952d3eec128f893a41815f1d3f00141dae9414955285a744d6bedabb4f966623ab0c23dbea05ba8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqiozfb.exe

Filesize
174KB

MD5
1f052fb7e9b0d4e143c5ae13d80bcc4d

SHA1
fa7f2295b81bd9e538720e3fdf032a0c6512d514

SHA256
86765be6110528a9eea59bcb9878abea8b0f28db13d89b2bf75239db017742ca

SHA512
66ae069c07dfe4b18c0b62db2a2e7ec470c2e375cade8c9952d3eec128f893a41815f1d3f00141dae9414955285a744d6bedabb4f966623ab0c23dbea05ba8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwhmvzv.sy

Filesize
262KB

MD5
4af859f5d90708925cc708c0336c3b74

SHA1
1756cecf1dd95ce7d94f062380c87c38753b6500

SHA256
f6d98dddbd10a16f12c2f660ac99ef8bc36e044f5d8a6b721b1f1089c18b7f32

SHA512
b321b1998467b5c3df587402d444b5b139a582bf2aaaeccd83db7c6d9af40d1ee086a1ecd0fe3acdc8ebadf8614097d8e316518c38da66a95b6f46bbc42ecb96

Download Submit
\Users\Admin\AppData\Local\Temp\aqiozfb.exe

Filesize
174KB

MD5
1f052fb7e9b0d4e143c5ae13d80bcc4d

SHA1
fa7f2295b81bd9e538720e3fdf032a0c6512d514

SHA256
86765be6110528a9eea59bcb9878abea8b0f28db13d89b2bf75239db017742ca

SHA512
66ae069c07dfe4b18c0b62db2a2e7ec470c2e375cade8c9952d3eec128f893a41815f1d3f00141dae9414955285a744d6bedabb4f966623ab0c23dbea05ba8f4

Download Submit
\Users\Admin\AppData\Local\Temp\aqiozfb.exe

Filesize
174KB

MD5
1f052fb7e9b0d4e143c5ae13d80bcc4d

SHA1
fa7f2295b81bd9e538720e3fdf032a0c6512d514

SHA256
86765be6110528a9eea59bcb9878abea8b0f28db13d89b2bf75239db017742ca

SHA512
66ae069c07dfe4b18c0b62db2a2e7ec470c2e375cade8c9952d3eec128f893a41815f1d3f00141dae9414955285a744d6bedabb4f966623ab0c23dbea05ba8f4

Download Submit
memory/2688-17-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-10-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2688-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2688-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2688-16-0x0000000000390000-0x00000000003C0000-memory.dmp

Filesize
192KB

Download
memory/2688-18-0x0000000004630000-0x0000000004670000-memory.dmp

Filesize
256KB

Download
memory/2688-19-0x0000000004630000-0x0000000004670000-memory.dmp

Filesize
256KB

Download
memory/2688-21-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/2688-22-0x0000000004630000-0x0000000004670000-memory.dmp

Filesize
256KB

Download
memory/2820-12-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2820-6-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing