agenttesla | a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f

General

Target

a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe
Size

587KB
MD5

1ec275d581b7efc115153bb6a8915ba5
SHA1

869acb34500897d1d9ebe06bf3f52eeaeb8c1eaa
SHA256

a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f
SHA512

001f23bea4fd2ae52fd88d01f1d9bf9539954ac3e02ae7b7dd0dcc9f57d1c9ac89f242a0128d2126313bd3099c40eb622516081298d98b2d05abdb805785d1c5
SSDEEP

6144:O8LxB3Qx8ayrbordY+VxuOveqXd0N+UMq1zSvEFWcbqX7TZPTvV3AWgbyG1aSmWD:GxPgUrdJE0Wx+YWc871PTWbHfmWPYMf

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
premium185.web-hosting.com
Port:
587
Username:
[email protected]
Password:
cooldown2013

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

aodoeww.exeaodoeww.exe

pid process

3380 aodoeww.exe
2788 aodoeww.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3380	aodoeww.exe
2788	aodoeww.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

aodoeww.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SzvWIzD = "C:\\Users\\Admin\\AppData\\Roaming\\SzvWIzD\\SzvWIzD.exe"	aodoeww.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 api.ipify.org
37 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

aodoeww.exe

description pid process target process

PID 3380 set thread context of 2788 3380 aodoeww.exe aodoeww.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aodoeww.exe

pid process

2788 aodoeww.exe
2788 aodoeww.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

aodoeww.exe

pid process

3380 aodoeww.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

aodoeww.exe

description pid process

Token: SeDebugPrivilege 2788 aodoeww.exe

flow	ioc
36	api.ipify.org
37	api.ipify.org

description	pid	process	target process
PID 3380 set thread context of 2788	3380	aodoeww.exe	aodoeww.exe

pid	process
2788	aodoeww.exe
2788	aodoeww.exe

pid	process
3380	aodoeww.exe

description	pid	process
Token: SeDebugPrivilege	2788	aodoeww.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exeaodoeww.exe

description	pid	process	target process
PID 2816 wrote to memory of 3380	2816	a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe	aodoeww.exe
PID 2816 wrote to memory of 3380	2816	a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe	aodoeww.exe
PID 2816 wrote to memory of 3380	2816	a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe	aodoeww.exe
PID 3380 wrote to memory of 2788	3380	aodoeww.exe	aodoeww.exe
PID 3380 wrote to memory of 2788	3380	aodoeww.exe	aodoeww.exe
PID 3380 wrote to memory of 2788	3380	aodoeww.exe	aodoeww.exe
PID 3380 wrote to memory of 2788	3380	aodoeww.exe	aodoeww.exe

C:\Users\Admin\AppData\Local\Temp\a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe
"C:\Users\Admin\AppData\Local\Temp\a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\aodoeww.exe
"C:\Users\Admin\AppData\Local\Temp\aodoeww.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Local\Temp\aodoeww.exe
"C:\Users\Admin\AppData\Local\Temp\aodoeww.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aodoeww.exe

Filesize
165KB

MD5
61489aebd8bfdeec13ef3861873f9e45

SHA1
7cbb9b36b807b4b79b7f17d7494f6de0ff38edfb

SHA256
7f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8

SHA512
6897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aodoeww.exe

Filesize
165KB

MD5
61489aebd8bfdeec13ef3861873f9e45

SHA1
7cbb9b36b807b4b79b7f17d7494f6de0ff38edfb

SHA256
7f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8

SHA512
6897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aodoeww.exe

Filesize
165KB

MD5
61489aebd8bfdeec13ef3861873f9e45

SHA1
7cbb9b36b807b4b79b7f17d7494f6de0ff38edfb

SHA256
7f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8

SHA512
6897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjwkjigjuz.jpc

Filesize
333KB

MD5
96b2d3902a0e83e8566903c45773664b

SHA1
58fa09c32f35cfd8b31d0a53230fdfa184d9eede

SHA256
bf6daa91ecdf8ec351ab89424d323865fd8f5b2124a9f2b9954ffc4539a44033

SHA512
2c9ec68e765a1c677b7e4493dbd9105f0edf93052b2c4612ff64c0954fc455123e6871a712ffec04f1a3d7c1be9f6406eb9046056fbbf1a50ca0324cc8679f73

Download Submit
memory/2788-15-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/2788-18-0x0000000004890000-0x0000000004E34000-memory.dmp

Filesize
5.6MB

Download
memory/2788-9-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2788-30-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/2788-11-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2788-12-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2788-13-0x0000000002380000-0x00000000023C2000-memory.dmp

Filesize
264KB

Download
memory/2788-14-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2788-29-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/2788-16-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/2788-17-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/2788-7-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2788-20-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/2788-19-0x0000000004FD0000-0x0000000005036000-memory.dmp

Filesize
408KB

Download
memory/2788-21-0x0000000005D20000-0x0000000005D70000-memory.dmp

Filesize
320KB

Download
memory/2788-22-0x0000000005D70000-0x0000000005E0C000-memory.dmp

Filesize
624KB

Download
memory/2788-23-0x0000000005EC0000-0x0000000005F52000-memory.dmp

Filesize
584KB

Download
memory/2788-24-0x0000000005FD0000-0x0000000005FDA000-memory.dmp

Filesize
40KB

Download
memory/2788-26-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2788-28-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/3380-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3380-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads