agenttesla | 6fc9d76b06c202aeec60a5a4e5574cd7a1fe1c12c0df84e9bc65be508923ae7b

General

Target

9edeaa107cc4122715d43b0a272e8da2.exe
Size

1.4MB
MD5

9edeaa107cc4122715d43b0a272e8da2
SHA1

cc50359b87821da2ffef53309b62465e585f8ed5
SHA256

6fc9d76b06c202aeec60a5a4e5574cd7a1fe1c12c0df84e9bc65be508923ae7b
SHA512

07a71d65ecba49531f5d36ce58273a029be9e369254fc36caf0f52287244c7d49a4871ab220c31cfbbcd9c75fd22f66cb7a111eeda225cbfc09d3e82afcb0fb7

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.brimaq.com
Port:
587
Username:
jaen@brimaq.com
Password:
brimaQ2012

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1056-0-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1056-1-0x000000000044CB3E-mapping.dmp	family_agenttesla
behavioral1/memory/1056-2-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Drops startup file 1 IoCs

Processes:

9edeaa107cc4122715d43b0a272e8da2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GenValObj.url	9edeaa107cc4122715d43b0a272e8da2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

9edeaa107cc4122715d43b0a272e8da2.exe

description pid process target process

PID 1008 set thread context of 1056 1008 9edeaa107cc4122715d43b0a272e8da2.exe MSBuild.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSBuild.exe

pid process

1056 MSBuild.exe
1056 MSBuild.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1056 MSBuild.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

9edeaa107cc4122715d43b0a272e8da2.exe

pid process

1008 9edeaa107cc4122715d43b0a272e8da2.exe
1008 9edeaa107cc4122715d43b0a272e8da2.exe
1008 9edeaa107cc4122715d43b0a272e8da2.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

9edeaa107cc4122715d43b0a272e8da2.exe

pid process

1008 9edeaa107cc4122715d43b0a272e8da2.exe
1008 9edeaa107cc4122715d43b0a272e8da2.exe
1008 9edeaa107cc4122715d43b0a272e8da2.exe

description	pid	process	target process
PID 1008 set thread context of 1056	1008	9edeaa107cc4122715d43b0a272e8da2.exe	MSBuild.exe

pid	process
1056	MSBuild.exe
1056	MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	1056	MSBuild.exe

pid	process
1008	9edeaa107cc4122715d43b0a272e8da2.exe
1008	9edeaa107cc4122715d43b0a272e8da2.exe
1008	9edeaa107cc4122715d43b0a272e8da2.exe

pid	process
1008	9edeaa107cc4122715d43b0a272e8da2.exe
1008	9edeaa107cc4122715d43b0a272e8da2.exe
1008	9edeaa107cc4122715d43b0a272e8da2.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

9edeaa107cc4122715d43b0a272e8da2.exeMSBuild.exe

description	pid	process	target process
PID 1008 wrote to memory of 1056	1008	9edeaa107cc4122715d43b0a272e8da2.exe	MSBuild.exe
PID 1008 wrote to memory of 1056	1008	9edeaa107cc4122715d43b0a272e8da2.exe	MSBuild.exe
PID 1008 wrote to memory of 1056	1008	9edeaa107cc4122715d43b0a272e8da2.exe	MSBuild.exe
PID 1008 wrote to memory of 1056	1008	9edeaa107cc4122715d43b0a272e8da2.exe	MSBuild.exe
PID 1008 wrote to memory of 1056	1008	9edeaa107cc4122715d43b0a272e8da2.exe	MSBuild.exe
PID 1008 wrote to memory of 1056	1008	9edeaa107cc4122715d43b0a272e8da2.exe	MSBuild.exe
PID 1056 wrote to memory of 572	1056	MSBuild.exe	netsh.exe
PID 1056 wrote to memory of 572	1056	MSBuild.exe	netsh.exe
PID 1056 wrote to memory of 572	1056	MSBuild.exe	netsh.exe
PID 1056 wrote to memory of 572	1056	MSBuild.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\9edeaa107cc4122715d43b0a272e8da2.exe
"C:\Users\Admin\AppData\Local\Temp\9edeaa107cc4122715d43b0a272e8da2.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:572

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/572-4-0x0000000000000000-mapping.dmp

Download
memory/1056-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1056-1-0x000000000044CB3E-mapping.dmp

Download
memory/1056-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads