agenttesla | aea90786fd4ecf5e2f9ad8b1cdce01f40df97f5f852231e9733d3deda4eb70e0

General

Target

cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Size

1.0MB
MD5

2b8fb3b2999f272966cf30453b8936d5
SHA1

45d9092e3d14c0b322254f01d7e38690deeda948
SHA256

cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05
SHA512

825f09277fb53aac9bc4f791d5d7ec5e3a0aa49bd9ac1f4cfb1437a052236cfb487bf1ce983f9d81829682e43a765e1894613021d1240153c72262db2df68e84
SSDEEP

24576:kfVcF1PYAVoKm+q/xIzLzzjXeBBHMIkJHe0zRV:ZNYdx+FWhMJJHeEV

Score

10^/10

agenttesla redline sectoprat cheat collection discovery infostealer keylogger rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.kirtidevelopers.com
Port:
587
Username:
[email protected]
Password:
RXXqtbk)sa0a

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.kirtidevelopers.com
Port:
587
Username:
[email protected]
Password:
RXXqtbk)sa0a

Extracted

Family

redline

Botnet

cheat

C2

193.47.61.37:38369

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002e000000018baf-27.dat	family_redline
behavioral1/memory/2188-32-0x0000000000A40000-0x0000000000A5E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002e000000018baf-27.dat	family_sectoprat
behavioral1/memory/2188-32-0x0000000000A40000-0x0000000000A5E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Executes dropped EXE 1 IoCs

pid	Process
2188	build.exe

Loads dropped DLL 1 IoCs

pid	Process
2740	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
2	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 2740	2888	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2740	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
2740	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Token: SeDebugPrivilege	2188	build.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2740	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2740	2888	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	30
PID 2888 wrote to memory of 2740	2888	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	30
PID 2888 wrote to memory of 2740	2888	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	30
PID 2888 wrote to memory of 2740	2888	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	30
PID 2888 wrote to memory of 2740	2888	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	30
PID 2888 wrote to memory of 2740	2888	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	30
PID 2888 wrote to memory of 2740	2888	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	30
PID 2888 wrote to memory of 2740	2888	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	30
PID 2888 wrote to memory of 2740	2888	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	30
PID 2740 wrote to memory of 2188	2740	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	32
PID 2740 wrote to memory of 2188	2740	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	32
PID 2740 wrote to memory of 2188	2740	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	32
PID 2740 wrote to memory of 2188	2740	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	32

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
"C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
  "C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe"
  2⤵
  - Loads dropped DLL
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2740
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe

Filesize
95KB

MD5
aab98addfc64d836a4501bf2ac185a27

SHA1
a1f2dc4392e876d86291be089bd240bf50403ea5

SHA256
65b0592dfb7b89a3a110ce3e61904690dd6ee38e7f1290e0a9047e2a9ceb9454

SHA512
cd5aaa4f5a6471b6a179d454f3745c9bc68c3616c3ac472ca444bb3b694522e4370981a81e1ed4480e3cb5b84b10deee2ac42f9d87ba81a27b57c64b7852398c

Download Submit
memory/2188-32-0x0000000000A40000-0x0000000000A5E000-memory.dmp

Filesize
120KB

Download
memory/2740-22-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2740-36-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2740-37-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2740-24-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2740-13-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2740-10-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2740-11-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2740-9-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2740-17-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2740-21-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2740-19-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2740-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2888-6-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2888-8-0x00000000050A0000-0x0000000005138000-memory.dmp

Filesize
608KB

Download
memory/2888-7-0x0000000008250000-0x000000000831E000-memory.dmp

Filesize
824KB

Download
memory/2888-0-0x0000000073DCE000-0x0000000073DCF000-memory.dmp

Filesize
4KB

Download
memory/2888-23-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2888-5-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2888-4-0x0000000073DCE000-0x0000000073DCF000-memory.dmp

Filesize
4KB

Download
memory/2888-3-0x00000000003D0000-0x00000000003E8000-memory.dmp

Filesize
96KB

Download
memory/2888-2-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/2888-1-0x00000000009A0000-0x0000000000AAA000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads