agenttesla | 278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7

General

Target

278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe
Size

961KB
MD5

226bc4742070377134dad87de9febd8f
SHA1

0c5aeb1c5807536b8660ffa32febea425910aea8
SHA256

278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7
SHA512

bfb2006f2663e097a4ed4e771db449cf8486f91713199db794c8aa89a25f5dd93e9ed29ffdb13cd3e3d74c4d49789ab82194c2b1485ee1128280b01a5b264ec6
SSDEEP

12288:GyIN+YFTn7VwJZgW6zQ0BUKOPYm7lmB+BGaIF7N+eWk58JW2BVAS+LMdWtcEtfd8:K8Jj6PU5l7l6daUN+eWuqBizLMOVj1

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1126419955634688050/yHbrubx366X_Wn_C4JcQbucXxlXRqxsG0O4bz5LxWso8RUXTpr0uNHjuz89z2GRXyE-6

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Caspol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4296 set thread context of 2960	4296	278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2960	Caspol.exe
2960	Caspol.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4296	278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe
Token: SeDebugPrivilege	2960	Caspol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2960	Caspol.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 2960	4296	278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe	83
PID 4296 wrote to memory of 2960	4296	278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe	83
PID 4296 wrote to memory of 2960	4296	278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe	83
PID 4296 wrote to memory of 2960	4296	278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe	83
PID 4296 wrote to memory of 2960	4296	278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe	83
PID 4296 wrote to memory of 2960	4296	278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe	83
PID 4296 wrote to memory of 2960	4296	278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe	83
PID 4296 wrote to memory of 2960	4296	278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe	83

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Caspol.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Caspol.exe

C:\Users\Admin\AppData\Local\Temp\278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe
"C:\Users\Admin\AppData\Local\Temp\278eaac2233aa9f956f7063ecae46b05271484a695f0fc6552d33c01597febc7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2960-7-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/2960-3-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2960-5-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/2960-6-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download
memory/2960-8-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/2960-9-0x00000000067F0000-0x0000000006840000-memory.dmp

Filesize
320KB

Download
memory/2960-19-0x00000000068E0000-0x000000000697C000-memory.dmp

Filesize
624KB

Download
memory/2960-20-0x0000000006F20000-0x0000000006FB2000-memory.dmp

Filesize
584KB

Download
memory/2960-21-0x0000000006EF0000-0x0000000006EFA000-memory.dmp

Filesize
40KB

Download
memory/2960-22-0x0000000074C90000-0x0000000075440000-memory.dmp

Filesize
7.7MB

Download
memory/4296-1-0x0000000000330000-0x0000000000426000-memory.dmp

Filesize
984KB

Download
memory/4296-2-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/4296-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing