agenttesla | aea90786fd4ecf5e2f9ad8b1cdce01f40df97f5f852231e9733d3deda4eb70e0

General

Target

cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Size

1.0MB
MD5

2b8fb3b2999f272966cf30453b8936d5
SHA1

45d9092e3d14c0b322254f01d7e38690deeda948
SHA256

cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05
SHA512

825f09277fb53aac9bc4f791d5d7ec5e3a0aa49bd9ac1f4cfb1437a052236cfb487bf1ce983f9d81829682e43a765e1894613021d1240153c72262db2df68e84
SSDEEP

24576:kfVcF1PYAVoKm+q/xIzLzzjXeBBHMIkJHe0zRV:ZNYdx+FWhMJJHeEV

Score

10^/10

agenttesla redline sectoprat cheat collection discovery infostealer keylogger rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.kirtidevelopers.com
Port:
587
Username:
[email protected]
Password:
RXXqtbk)sa0a

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.kirtidevelopers.com
Port:
587
Username:
[email protected]
Password:
RXXqtbk)sa0a

Extracted

Family

redline

Botnet

cheat

C2

193.47.61.37:38369

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023bb0-26.dat	family_redline
behavioral2/memory/4480-33-0x0000000000560000-0x000000000057E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023bb0-26.dat	family_sectoprat
behavioral2/memory/4480-33-0x0000000000560000-0x000000000057E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

Executes dropped EXE 1 IoCs

pid	Process
4480	build.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	api.ipify.org
39	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2272	2212	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	99

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2272	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
2272	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
Token: SeDebugPrivilege	4480	build.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2272	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2272	2212	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	99
PID 2212 wrote to memory of 2272	2212	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	99
PID 2212 wrote to memory of 2272	2212	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	99
PID 2212 wrote to memory of 2272	2212	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	99
PID 2212 wrote to memory of 2272	2212	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	99
PID 2212 wrote to memory of 2272	2212	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	99
PID 2212 wrote to memory of 2272	2212	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	99
PID 2212 wrote to memory of 2272	2212	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	99
PID 2272 wrote to memory of 4480	2272	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	100
PID 2272 wrote to memory of 4480	2272	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	100
PID 2272 wrote to memory of 4480	2272	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe	100

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe

C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
"C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe
  "C:\Users\Admin\AppData\Local\Temp\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe"
  2⤵
  - Checks computer location settings
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2272
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cda24af9dd1ec0ac52f40309cfd28d6f2e8501aef32d3ca56147dfe03d89ad05.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\build.exe

Filesize
95KB

MD5
aab98addfc64d836a4501bf2ac185a27

SHA1
a1f2dc4392e876d86291be089bd240bf50403ea5

SHA256
65b0592dfb7b89a3a110ce3e61904690dd6ee38e7f1290e0a9047e2a9ceb9454

SHA512
cd5aaa4f5a6471b6a179d454f3745c9bc68c3616c3ac472ca444bb3b694522e4370981a81e1ed4480e3cb5b84b10deee2ac42f9d87ba81a27b57c64b7852398c

Download Submit
memory/2212-17-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-3-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/2212-4-0x0000000005770000-0x000000000577A000-memory.dmp

Filesize
40KB

Download
memory/2212-5-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-6-0x0000000005A80000-0x0000000005A98000-memory.dmp

Filesize
96KB

Download
memory/2212-7-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

Filesize
4KB

Download
memory/2212-8-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-9-0x0000000005C90000-0x0000000005C9C000-memory.dmp

Filesize
48KB

Download
memory/2212-10-0x00000000081D0000-0x000000000829E000-memory.dmp

Filesize
824KB

Download
memory/2212-11-0x0000000008360000-0x00000000083FC000-memory.dmp

Filesize
624KB

Download
memory/2212-12-0x0000000008680000-0x0000000008718000-memory.dmp

Filesize
608KB

Download
memory/2212-1-0x0000000000C60000-0x0000000000D6A000-memory.dmp

Filesize
1.0MB

Download
memory/2212-2-0x0000000005CA0000-0x0000000006244000-memory.dmp

Filesize
5.6MB

Download
memory/2212-0-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

Filesize
4KB

Download
memory/2272-19-0x0000000005470000-0x0000000005488000-memory.dmp

Filesize
96KB

Download
memory/2272-16-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/2272-22-0x0000000006DA0000-0x0000000006DF0000-memory.dmp

Filesize
320KB

Download
memory/2272-20-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/2272-18-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/2272-13-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2272-44-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/4480-36-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

Filesize
72KB

Download
memory/4480-35-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/4480-34-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/4480-37-0x0000000004E80000-0x0000000004EBC000-memory.dmp

Filesize
240KB

Download
memory/4480-42-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/4480-41-0x0000000004EC0000-0x0000000004F0C000-memory.dmp

Filesize
304KB

Download
memory/4480-43-0x00000000050F0000-0x00000000051FA000-memory.dmp

Filesize
1.0MB

Download
memory/4480-33-0x0000000000560000-0x000000000057E000-memory.dmp

Filesize
120KB

Download
memory/4480-45-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/4480-46-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads