agenttesla | 47dc390233a824cf1d15df376a331d55ed9c156a721cc66d0d66f98f667aa04b

Analysis

max time kernel
103s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22012025_0028_MT103-PAYMENT-SWIFT-COPY_pdf.js
Size

1.6MB
MD5

8b053a72ac93b4201503a64f0bcb8bb1
SHA1

ecde85b491352ea7fc7560e0d485ffd057903579
SHA256

47dc390233a824cf1d15df376a331d55ed9c156a721cc66d0d66f98f667aa04b
SHA512

b533392682c57583edd3ace644ac3ca84f681e10bca169b2d112125f9ec67fce96701d71594a1c3e0df6fa03bbb115c1bce7654613f585c2e583796b9619c8a5
SSDEEP

24576:aEqAFVKYzEynVgmr39ol/uTl+pJqhK0ULElYBZbOG/5v9CjVgwppf+2qQZAqXJBx:aEvBz1J+l/c+ahYLVBZbvSgAN/R/lP

Score

10^/10

agenttesla collection discovery execution keylogger persistence phishing spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mucahitaytekin.com
Port:
587
Username:
[email protected]
Password:
Oseototo@1010@2

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mucahitaytekin.com
Port:
587
Username:
[email protected]
Password:
Oseototo@1010@2
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/1092-46-0x0000000000400000-0x0000000000483000-memory.dmp	Nirsoft
behavioral2/memory/4384-145-0x0000000000400000-0x0000000000465000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4384-145-0x0000000000400000-0x0000000000465000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/1092-46-0x0000000000400000-0x0000000000483000-memory.dmp	WebBrowserPassView

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Joined.exe

Executes dropped EXE 5 IoCs

pid	Process
3888	Joined.exe
1376	poie.exe
3608	TEGBET.exe
1092	A.exe
4384	B.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	B.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	poie.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	poie.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	poie.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JISvIAI = "C:\\Users\\Admin\\AppData\\Roaming\\JISvIAI\\JISvIAI.exe"	poie.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
14	api.ipify.org

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3608-92-0x0000000000DE0000-0x000000000102C000-memory.dmp	autoit_exe
behavioral2/memory/3608-106-0x0000000000DE0000-0x000000000102C000-memory.dmp	autoit_exe
behavioral2/memory/3608-146-0x0000000000DE0000-0x000000000102C000-memory.dmp	autoit_exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000f000000023bd3-24.dat	upx
behavioral2/memory/3608-31-0x0000000000DE0000-0x000000000102C000-memory.dmp	upx
behavioral2/files/0x0008000000023bd5-37.dat	upx
behavioral2/memory/1092-38-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/1092-46-0x0000000000400000-0x0000000000483000-memory.dmp	upx
behavioral2/memory/3608-92-0x0000000000DE0000-0x000000000102C000-memory.dmp	upx
behavioral2/memory/3608-106-0x0000000000DE0000-0x000000000102C000-memory.dmp	upx
behavioral2/files/0x000a000000023bd9-142.dat	upx
behavioral2/memory/4384-143-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral2/memory/4384-145-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral2/memory/3608-146-0x0000000000DE0000-0x000000000102C000-memory.dmp	upx

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEGBET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Joined.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poie.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1092	A.exe
1092	A.exe
1092	A.exe
1092	A.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	poie.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1376	poie.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3888	2236	wscript.exe	83
PID 2236 wrote to memory of 3888	2236	wscript.exe	83
PID 2236 wrote to memory of 3888	2236	wscript.exe	83
PID 3888 wrote to memory of 1376	3888	Joined.exe	84
PID 3888 wrote to memory of 1376	3888	Joined.exe	84
PID 3888 wrote to memory of 1376	3888	Joined.exe	84
PID 3888 wrote to memory of 3608	3888	Joined.exe	86
PID 3888 wrote to memory of 3608	3888	Joined.exe	86
PID 3888 wrote to memory of 3608	3888	Joined.exe	86
PID 3608 wrote to memory of 2992	3608	TEGBET.exe	87
PID 3608 wrote to memory of 2992	3608	TEGBET.exe	87
PID 3608 wrote to memory of 2992	3608	TEGBET.exe	87
PID 2992 wrote to memory of 1092	2992	cmd.exe	89
PID 2992 wrote to memory of 1092	2992	cmd.exe	89
PID 2992 wrote to memory of 1092	2992	cmd.exe	89
PID 3608 wrote to memory of 624	3608	TEGBET.exe	98
PID 3608 wrote to memory of 624	3608	TEGBET.exe	98
PID 3608 wrote to memory of 624	3608	TEGBET.exe	98
PID 624 wrote to memory of 4384	624	cmd.exe	100
PID 624 wrote to memory of 4384	624	cmd.exe	100
PID 624 wrote to memory of 4384	624	cmd.exe	100

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	poie.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	poie.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\22012025_0028_MT103-PAYMENT-SWIFT-COPY_pdf.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\Joined.exe
  "C:\Users\Admin\AppData\Local\Temp\Joined.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Users\Admin\AppData\Local\Temp\poie.exe
    "C:\Users\Admin\AppData\Local\Temp\poie.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:1376
- - C:\Users\Admin\AppData\Local\Temp\TEGBET.exe
    "C:\Users\Admin\AppData\Local\Temp\TEGBET.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c A.exe /stext A.txt
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Users\Admin\AppData\Local\Temp\A.exe
        
        A.exe /stext A.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c B.exe /stext B.txt
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:624
    - - C:\Users\Admin\AppData\Local\Temp\B.exe
        
        B.exe /stext B.txt
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\db[2].htm

Filesize
130B

MD5
5c7bdb6d1feae88c0723af3a6059c1df

SHA1
7567c5f0eb078fd62d1c31503f3371beb6d4fb2e

SHA256
e506a1525cdb992490aaea897b3c7888b487bf76a268462decb93a6bff0bfde8

SHA512
815b7b53669132b5cb628c47f2fc7001d31041792e21fb70262dcfed6dee6c72f0817637a96972d4e332bc39170faf3adc193b25ef1f7d0955ea1d2d0137de4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A.exe

Filesize
224KB

MD5
440028436e4eb1d94fc14b09f5d6224c

SHA1
eaee95e001b415026db7aeac9804fb03e65d8caa

SHA256
3570596c4b62fee8a80b4cab0ee2ff6c33342d2ceb1b3d9d7d06fa352655d027

SHA512
516e7be456337236d2f6b550a5ec8e41590e647a3cfd6894f7dcfe714dd601ba787f88cde55f3ca5fe70d20f3ff72f9b248a0404df582be60ac08701c42c5c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A.txt

Filesize
4KB

MD5
ac300aeaf27709e2067788fdd4624843

SHA1
e98edd4615d35de96e30f1a0e13c05b42ee7eb7b

SHA256
d2637d58bb120dc6fefe2f38d6e0d4b308006b8639106a7f9e915fa80b5cc9d9

SHA512
09c46e708f9d253dccd4d943639d9f8126f868ae3dcd951aad12222bb98b5d3814676f878c8391b9bdab5dedcf5b9e9eaeb2ad3ffec57bda875198735586d4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\B.exe

Filesize
202KB

MD5
a394c0ae6cf5530bb91b37b8bd09c468

SHA1
e006c548c39f36630833163fe524887780390dfd

SHA256
fd057d11727f14563a5533dd8453d6e3dcbf71862483a15bf8b769a73243a201

SHA512
17e9c6f6b3c2b6197216fd132ed54c1d2586c359c42e12915bc256472769f00a4f413f6ac83a784945b9e296d63b6b943f72876cf495569a65ff26c6189748a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Joined.exe

Filesize
1.2MB

MD5
4292b2d31a7f8ac80d1807e85c599c5a

SHA1
107e5ba72413db93d8738d4885d928e0a187e87f

SHA256
fb4acea2a7132e101aaba2fdb735e7350f71c04a151a25dcd865ed493ce53bcd

SHA512
f7534c9f26abc5d6bac333ffb2a80c79cfe73ada35c676882189615ad30b76194867721be483ff7e9e46288067d854b8e0bd1490113f117edbef567338279a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEGBET.exe

Filesize
1.1MB

MD5
0d3c92669c698947bfe6802e3377d6b3

SHA1
dfa9cfe3ea2a12009cfbb4677c3ba2bda9fbe4c8

SHA256
983036999b2753ffdb0b94c015d75c8b28fac0aacdd70edb93b77f006de1daff

SHA512
84275ba50366fc30c1f8b099f583058c52075f62b4c2f5692054fce965609a9e363c6991cf196d17ea6a7ae2dbfa464912a4b82b07b39b86875ad0a6a7a3bd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\poie.exe

Filesize
168KB

MD5
3d4e1ba5dff5595ef8e0d54a27f14099

SHA1
9abecbe019c452afbe02bca27c013586746971df

SHA256
14b654ba9d68e4a0ad8293a359dc4c382899cebf246ae7e6504d21e54437c009

SHA512
1d4e7c97d7d5ad618dd9459d486eee2768edc426659b66d4ef63dd2e065637313fb55c0ed273df14e56ea8facff1462ab1649c0aeeac454f359ba70357df8026

Download Submit
memory/1092-38-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1092-46-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1376-33-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/1376-61-0x00000000073E0000-0x000000000747C000-memory.dmp

Filesize
624KB

Download
memory/1376-34-0x0000000005D40000-0x00000000062E4000-memory.dmp

Filesize
5.6MB

Download
memory/1376-48-0x0000000007060000-0x00000000070F2000-memory.dmp

Filesize
584KB

Download
memory/1376-49-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/1376-50-0x00000000072E0000-0x0000000007330000-memory.dmp

Filesize
320KB

Download
memory/1376-51-0x0000000007500000-0x00000000076C2000-memory.dmp

Filesize
1.8MB

Download
memory/1376-40-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download
memory/3608-31-0x0000000000DE0000-0x000000000102C000-memory.dmp

Filesize
2.3MB

Download
memory/3608-92-0x0000000000DE0000-0x000000000102C000-memory.dmp

Filesize
2.3MB

Download
memory/3608-106-0x0000000000DE0000-0x000000000102C000-memory.dmp

Filesize
2.3MB

Download
memory/3608-146-0x0000000000DE0000-0x000000000102C000-memory.dmp

Filesize
2.3MB

Download
memory/3888-32-0x0000000000400000-0x000000000053A18B-memory.dmp

Filesize
1.2MB

Download
memory/3888-7-0x0000000000400000-0x000000000053A18B-memory.dmp

Filesize
1.2MB

Download
memory/4384-143-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4384-145-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download