agenttesla | 73a0e45c8cd2fcd49f0a3602aec912486610dddca32dc6f879c2d90660be1931

General

Target

VBCNXNJGFJHFD9873487943.exe
Size

309KB
MD5

0259d1aa5bf063769f36e5056e554021
SHA1

b4943803c47fa2284c3d30c9e75feefe8a26c04f
SHA256

73a0e45c8cd2fcd49f0a3602aec912486610dddca32dc6f879c2d90660be1931
SHA512

4147998a187e2f8032f123c17ec4a85224b9ba2117ae69f9fc5416eccbac3c70df35ea3e6ed51e6ccd2f402f528a21acab8bb88905b71c19244987a2b43ba836
SSDEEP

3072:wrJxi2KLomWHzmYwKL3RId2zQx/V/iwCm0owzZ0z1GTohLXKHrW37X1Hq:wrJxjfHzIKL6Kw6oQ41GkhLXH71Hq

Score

10^/10

agenttesla collection credential_access discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.botswlogistics.com
Port:
587
Username:
[email protected]
Password:
*(QSTCj8

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/3352-5-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cvtres.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cvtres.exe
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cvtres.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4232 set thread context of 3352	4232	VBCNXNJGFJHFD9873487943.exe	97

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBCNXNJGFJHFD9873487943.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4232	VBCNXNJGFJHFD9873487943.exe
4232	VBCNXNJGFJHFD9873487943.exe
3352	cvtres.exe
3352	cvtres.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4232	VBCNXNJGFJHFD9873487943.exe
Token: SeDebugPrivilege	3352	cvtres.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4900	4232	VBCNXNJGFJHFD9873487943.exe	96
PID 4232 wrote to memory of 4900	4232	VBCNXNJGFJHFD9873487943.exe	96
PID 4232 wrote to memory of 4900	4232	VBCNXNJGFJHFD9873487943.exe	96
PID 4232 wrote to memory of 3352	4232	VBCNXNJGFJHFD9873487943.exe	97
PID 4232 wrote to memory of 3352	4232	VBCNXNJGFJHFD9873487943.exe	97
PID 4232 wrote to memory of 3352	4232	VBCNXNJGFJHFD9873487943.exe	97
PID 4232 wrote to memory of 3352	4232	VBCNXNJGFJHFD9873487943.exe	97
PID 4232 wrote to memory of 3352	4232	VBCNXNJGFJHFD9873487943.exe	97
PID 4232 wrote to memory of 3352	4232	VBCNXNJGFJHFD9873487943.exe	97
PID 4232 wrote to memory of 3352	4232	VBCNXNJGFJHFD9873487943.exe	97
PID 4232 wrote to memory of 3352	4232	VBCNXNJGFJHFD9873487943.exe	97

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cvtres.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cvtres.exe

C:\Users\Admin\AppData\Local\Temp\VBCNXNJGFJHFD9873487943.exe
"C:\Users\Admin\AppData\Local\Temp\VBCNXNJGFJHFD9873487943.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  PID:4900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3352-13-0x0000000004F20000-0x0000000004F38000-memory.dmp

Filesize
96KB

Download
memory/3352-14-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/3352-10-0x0000000004A90000-0x0000000004B22000-memory.dmp

Filesize
584KB

Download
memory/3352-11-0x0000000004C20000-0x0000000004CBC000-memory.dmp

Filesize
624KB

Download
memory/3352-9-0x0000000004FA0000-0x0000000005544000-memory.dmp

Filesize
5.6MB

Download
memory/3352-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3352-17-0x0000000005BC0000-0x0000000005C10000-memory.dmp

Filesize
320KB

Download
memory/3352-8-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/3352-18-0x0000000004920000-0x000000000492A000-memory.dmp

Filesize
40KB

Download
memory/3352-16-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/3352-15-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/3352-12-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4232-0-0x00000000751AE000-0x00000000751AF000-memory.dmp

Filesize
4KB

Download
memory/4232-1-0x0000000000070000-0x00000000000C0000-memory.dmp

Filesize
320KB

Download
memory/4232-3-0x00000000751AE000-0x00000000751AF000-memory.dmp

Filesize
4KB

Download
memory/4232-2-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4232-7-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4232-4-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing