agenttesla | 234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96

General

Target

234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe
Size

317KB
MD5

4d8ba3b2a8662ef0369418d498dbccb5
SHA1

dc31c93b6adab1ce08821b3cb07df1a2e4aabe17
SHA256

234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96
SHA512

ee297cd0cb3ee2d323be3dfcfafb1d4706e8f3ef2239cc6d237a6d0dcfdbe297122a4630e32621d0f5debb2b21bdf136b0fe311225846b9ebe8415f834da552b
SSDEEP

3072:VmCTc970E3iKeHrSei1V/XbKjvE18FMIqY3QslEn3ElbEr20bGX6nsfXT4:gTt0/HgVzK5MysnWi20bGXyoXU

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.sachingandhiarchitects.com
Port:
587
Username:
[email protected]
Password:
devi060911
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qLYhCbk = "C:\\Users\\Admin\\AppData\\Roaming\\qLYhCbk\\qLYhCbk.exe"	234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 api.ipify.org
42 api.ipify.org

flow	ioc
41	api.ipify.org
42	api.ipify.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

pid	process
3472	234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe
3472	234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

description pid process

Token: SeDebugPrivilege 3472 234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

description	pid	process
Token: SeDebugPrivilege	3472	234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

outlook_office_path 1 IoCs

Processes:

234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

outlook_win_path 1 IoCs

Processes:

234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe

C:\Users\Admin\AppData\Local\Temp\234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe
"C:\Users\Admin\AppData\Local\Temp\234dd271957dce958fddfeac710f5c9b0de3a4188caff69b6fdfdeac835dea96.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3472-0-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-1-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3472-2-0x00000000024A0000-0x00000000024E2000-memory.dmp

Filesize
264KB

Download
memory/3472-3-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3472-4-0x0000000004B10000-0x00000000050B4000-memory.dmp

Filesize
5.6MB

Download
memory/3472-5-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3472-6-0x0000000004A50000-0x0000000004AB6000-memory.dmp

Filesize
408KB

Download
memory/3472-7-0x0000000005EA0000-0x0000000005EF0000-memory.dmp

Filesize
320KB

Download
memory/3472-8-0x0000000005EF0000-0x0000000005F82000-memory.dmp

Filesize
584KB

Download
memory/3472-9-0x0000000005FF0000-0x0000000005FFA000-memory.dmp

Filesize
40KB

Download
memory/3472-10-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/3472-11-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3472-12-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3472-13-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads