agenttesla | 0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe
Size

1.1MB
MD5

802397fe452b9d4923795a1994041073
SHA1

6653cbad45033f45a677c546b5881325a20ce548
SHA256

0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb
SHA512

b34cceafc5b934abb416cf9ee458759087d0977cc0446d43544ceb4b84c36b7c25a182a768c92fdba07b178ad0eb4e51943a1500933d90ca6e387eabadf14af7
SSDEEP

24576:6NA3R5drXdtCIe4it73fmm4iS39FrW2Lz0hL6cKx7s3oFQYcEn7h:z5bti1fmmNStMgz0ucKxIo6w

Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
esut96092

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe

Executes dropped EXE 2 IoCs

pid	Process
3308	hdutulcnv.pif
3692	RegSvcs.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\file.exe = "c:\\76477236\\HDUTUL~1.PIF c:\\76477236\\qgfvud.udr"	hdutulcnv.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3308 set thread context of 3692	3308	hdutulcnv.pif	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hdutulcnv.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3692	RegSvcs.exe
3692	RegSvcs.exe
3692	RegSvcs.exe
3692	RegSvcs.exe
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3692	RegSvcs.exe
3692	RegSvcs.exe
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif
3308	hdutulcnv.pif

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3692	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3308	4356	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe	83
PID 4356 wrote to memory of 3308	4356	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe	83
PID 4356 wrote to memory of 3308	4356	0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe	83
PID 3308 wrote to memory of 3692	3308	hdutulcnv.pif	85
PID 3308 wrote to memory of 3692	3308	hdutulcnv.pif	85
PID 3308 wrote to memory of 3692	3308	hdutulcnv.pif	85
PID 3308 wrote to memory of 3692	3308	hdutulcnv.pif	85
PID 3308 wrote to memory of 3692	3308	hdutulcnv.pif	85

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe
"C:\Users\Admin\AppData\Local\Temp\0be53232c436fe0c83ebe734c96ba6a1c159d5fa7c502f3f68bd0493394267eb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356
- C:\76477236\hdutulcnv.pif
  "C:\76477236\hdutulcnv.pif" qgfvud.udr
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\76477236\hdutulcnv.pif

Filesize
655KB

MD5
a75bc752c50fb74f7597c2bb59b93d43

SHA1
d2dcd3d104b6b04f0828844aeda188798669b41f

SHA256
877365dfcbe9d4896e9ca544c7d19e106ab78339edbc1bd410f2e11bd32cd2ee

SHA512
e856238e3cb519786365faf17d0d590692fa991d9ca81e2fb8ce094cd090583f4ed1823b7ca9c0f702320398054ba682644a02f8d99d4e0f53733564611d3f97

Download Submit
C:\76477236\ogdk.jpg

Filesize
611KB

MD5
1c9d75251fabd04dec07d045f9bba7a9

SHA1
fb6199a8f1e04fbede315729f317fda5d950e2ed

SHA256
d67387247789e39452560b75c98221846b53ac9412294937d4bc4a041e6ae0ad

SHA512
d8c9c949e917912186d1b8156c0d9a0a1b5cb7a48617bd4b9af15359d2aff74062bc051bbf915ada6d86a717021142cf3f5ad0a3b22c8fb4a1bf06392ec174eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
memory/3692-80-0x0000000001340000-0x0000000001A01000-memory.dmp

Filesize
6.8MB

Download
memory/3692-83-0x0000000073AAE000-0x0000000073AAF000-memory.dmp

Filesize
4KB

Download
memory/3692-84-0x0000000001340000-0x000000000138C000-memory.dmp

Filesize
304KB

Download
memory/3692-85-0x0000000006800000-0x0000000006DA4000-memory.dmp

Filesize
5.6MB

Download
memory/3692-86-0x0000000006250000-0x00000000062E2000-memory.dmp

Filesize
584KB

Download
memory/3692-87-0x0000000073AA0000-0x0000000074250000-memory.dmp

Filesize
7.7MB

Download
memory/3692-88-0x00000000063E0000-0x000000000647C000-memory.dmp

Filesize
624KB

Download
memory/3692-89-0x0000000073AAE000-0x0000000073AAF000-memory.dmp

Filesize
4KB

Download
memory/3692-90-0x0000000073AA0000-0x0000000074250000-memory.dmp

Filesize
7.7MB

Download
memory/3692-91-0x00000000067E0000-0x00000000067F8000-memory.dmp

Filesize
96KB

Download
memory/3692-92-0x0000000006F70000-0x0000000006FD6000-memory.dmp

Filesize
408KB

Download
memory/3692-93-0x00000000074E0000-0x0000000007530000-memory.dmp

Filesize
320KB

Download
memory/3692-94-0x0000000007630000-0x000000000763A000-memory.dmp

Filesize
40KB

Download