agenttesla | 27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579

General

Target

27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe
Size

357KB
MD5

b10c2067fbaf70d25aad7a398c34314d
SHA1

063e4fda1db6ba10e0c3efd9e2824ae93b67e38b
SHA256

27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579
SHA512

ca7155d36108be3e4472d62518db52370af8bbeaf8eb447cb280e643b13d552f65c042f55eb92d5ad0891848eed17236852d95da919a891ccbcff5a545320849
SSDEEP

6144:RxtLQ+SM/E+f8SzAmWeTyCREZErp/z6JnIYEYDQco30hzWRlRGUzt:RfLQ+lz8+RRTyCu06JnIYj7BWRP

Score

10^/10

agenttesla collection credential_access discovery keylogger persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.adenerqyeurope.co.uk
Port:
587
Username:
[email protected]
Password:
j0#c!nNq6iW%

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

AgentTesla payload 5 IoCs

resource	yara_rule
behavioral1/memory/2832-13-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral1/memory/2832-23-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral1/memory/2832-21-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral1/memory/2832-19-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral1/memory/2832-15-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2408 set thread context of 2832	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2556	netsh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2832	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe
2832	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2832	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1644	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	28
PID 2408 wrote to memory of 1644	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	28
PID 2408 wrote to memory of 1644	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	28
PID 2408 wrote to memory of 1644	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	28
PID 2408 wrote to memory of 2832	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	30
PID 2408 wrote to memory of 2832	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	30
PID 2408 wrote to memory of 2832	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	30
PID 2408 wrote to memory of 2832	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	30
PID 2408 wrote to memory of 2832	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	30
PID 2408 wrote to memory of 2832	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	30
PID 2408 wrote to memory of 2832	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	30
PID 2408 wrote to memory of 2832	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	30
PID 2408 wrote to memory of 2832	2408	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	30
PID 2832 wrote to memory of 2556	2832	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	32
PID 2832 wrote to memory of 2556	2832	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	32
PID 2832 wrote to memory of 2556	2832	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	32
PID 2832 wrote to memory of 2556	2832	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe	32

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe

C:\Users\Admin\AppData\Local\Temp\27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe
"C:\Users\Admin\AppData\Local\Temp\27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\orcHPGIOhYkzPQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp581E.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe
  "C:\Users\Admin\AppData\Local\Temp\27c91ee96335f2e104c62a7cd00643f19dfc31f841984a4020235fc98fa01579.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2832
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

5

T1552

Credentials In Files

4

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp581E.tmp

Filesize
1KB

MD5
e39cc8e6f366d7f7a7ac8271c7c97476

SHA1
bbc13b79fa59908692bf4f76ec5b4e3dbf48df47

SHA256
7c39684138f214ce9280c281ee2ebd2403a3688685aa7ce254c1794f24928393

SHA512
11993470f8162f9cccf83dda8ef67d881c028328388fedcfa32c367e8ea445c9875464d3403cbe2453072a9d3deaa4f3868a06d14d34187dcf47163f6eeba7b7

Download Submit
memory/2408-24-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-1-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-2-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-3-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2408-0-0x0000000074D71000-0x0000000074D72000-memory.dmp

Filesize
4KB

Download
memory/2832-9-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-11-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-23-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-21-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-19-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-15-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-25-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-26-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-13-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2832-27-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-28-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-29-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-30-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-31-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-32-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download
memory/2832-33-0x0000000074D70000-0x000000007531B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads