agenttesla | 0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe
Size

1.1MB
MD5

802397fe452b9d4923795a1994041073
SHA1

6653cbad45033f45a677c546b5881325a20ce548
SHA256

0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb
SHA512

b34cceafc5b934abb416cf9ee458759087d0977cc0446d43544ceb4b84c36b7c25a182a768c92fdba07b178ad0eb4e51943a1500933d90ca6e387eabadf14af7
SSDEEP

24576:6NA3R5drXdtCIe4it73fmm4iS39FrW2Lz0hL6cKx7s3oFQYcEn7h:z5bti1fmmNStMgz0ucKxIo6w

Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
esut96092

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Executes dropped EXE 2 IoCs

pid	Process
1660	hdutulcnv.pif
1940	RegSvcs.exe

Loads dropped DLL 5 IoCs

pid	Process
2080	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe
2080	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe
2080	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe
2080	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe
1660	hdutulcnv.pif

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\file.exe = "c:\\76477236\\HDUTUL~1.PIF c:\\76477236\\qgfvud.udr"	hdutulcnv.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 1940	1660	hdutulcnv.pif	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hdutulcnv.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1940	RegSvcs.exe
1940	RegSvcs.exe
1940	RegSvcs.exe
1940	RegSvcs.exe
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1940	RegSvcs.exe
1940	RegSvcs.exe
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif
1660	hdutulcnv.pif

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1940	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1940	RegSvcs.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1660	2080	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe	31
PID 2080 wrote to memory of 1660	2080	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe	31
PID 2080 wrote to memory of 1660	2080	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe	31
PID 2080 wrote to memory of 1660	2080	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe	31
PID 1660 wrote to memory of 1940	1660	hdutulcnv.pif	32
PID 1660 wrote to memory of 1940	1660	hdutulcnv.pif	32
PID 1660 wrote to memory of 1940	1660	hdutulcnv.pif	32
PID 1660 wrote to memory of 1940	1660	hdutulcnv.pif	32
PID 1660 wrote to memory of 1940	1660	hdutulcnv.pif	32
PID 1660 wrote to memory of 1940	1660	hdutulcnv.pif	32
PID 1660 wrote to memory of 1940	1660	hdutulcnv.pif	32
PID 1660 wrote to memory of 1940	1660	hdutulcnv.pif	32
PID 1660 wrote to memory of 1940	1660	hdutulcnv.pif	32

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe
"C:\Users\Admin\AppData\Local\Temp\0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\76477236\hdutulcnv.pif
  "C:\76477236\hdutulcnv.pif" qgfvud.udr
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\76477236\ogdk.jpg

Filesize
611KB

MD5
1c9d75251fabd04dec07d045f9bba7a9

SHA1
fb6199a8f1e04fbede315729f317fda5d950e2ed

SHA256
d67387247789e39452560b75c98221846b53ac9412294937d4bc4a041e6ae0ad

SHA512
d8c9c949e917912186d1b8156c0d9a0a1b5cb7a48617bd4b9af15359d2aff74062bc051bbf915ada6d86a717021142cf3f5ad0a3b22c8fb4a1bf06392ec174eb

Download Submit
\76477236\hdutulcnv.pif

Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/1940-91-0x0000000000380000-0x0000000000A37000-memory.dmp

Filesize
6.7MB

Download
memory/1940-93-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1940-94-0x0000000000380000-0x0000000000A37000-memory.dmp

Filesize
6.7MB

Download
memory/1940-96-0x0000000000380000-0x0000000000A37000-memory.dmp

Filesize
6.7MB

Download
memory/1940-97-0x0000000000380000-0x0000000000A37000-memory.dmp

Filesize
6.7MB

Download
memory/1940-99-0x0000000000380000-0x00000000003CC000-memory.dmp

Filesize
304KB

Download