agenttesla | 9079943117ea724add13043f94f0ca39a82085d386959586eed56b5fae69ccfb

General

Target

SHIPPING DOCUMENTS.exe
Size

436KB
MD5

3cca5f9b8a62928dfda8e35b80d81a6e
SHA1

c3f5db8a1d0099548ba62fa88b8ac3c4f7d63fe6
SHA256

9079943117ea724add13043f94f0ca39a82085d386959586eed56b5fae69ccfb
SHA512

8b5c118528f8da7af0035c3a5c940f5b7a041a5aec43720e510725fcb3ad7005fc2ad0fe10ca7b46d6971e05e196e1fc9c15eaaa068c5a428e612449d3b6ecb9

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
maka@fuzetec-tw.com
Password:
mmm777

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3964-2-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/3964-3-0x00000000004482AE-mapping.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

Processes:

SHIPPING DOCUMENTS.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts SHIPPING DOCUMENTS.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

SHIPPING DOCUMENTS.exe

description pid process target process

PID 1592 set thread context of 3964 1592 SHIPPING DOCUMENTS.exe SHIPPING DOCUMENTS.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2796 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SHIPPING DOCUMENTS.exe

pid process

3964 SHIPPING DOCUMENTS.exe
3964 SHIPPING DOCUMENTS.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SHIPPING DOCUMENTS.exe

description pid process

Token: SeDebugPrivilege 3964 SHIPPING DOCUMENTS.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SHIPPING DOCUMENTS.exe

pid process

3964 SHIPPING DOCUMENTS.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	SHIPPING DOCUMENTS.exe

description	pid	process	target process
PID 1592 set thread context of 3964	1592	SHIPPING DOCUMENTS.exe	SHIPPING DOCUMENTS.exe

pid	process
2796	schtasks.exe

pid	process
3964	SHIPPING DOCUMENTS.exe
3964	SHIPPING DOCUMENTS.exe

description	pid	process
Token: SeDebugPrivilege	3964	SHIPPING DOCUMENTS.exe

pid	process
3964	SHIPPING DOCUMENTS.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

SHIPPING DOCUMENTS.exe

description	pid	process	target process
PID 1592 wrote to memory of 2796	1592	SHIPPING DOCUMENTS.exe	schtasks.exe
PID 1592 wrote to memory of 2796	1592	SHIPPING DOCUMENTS.exe	schtasks.exe
PID 1592 wrote to memory of 2796	1592	SHIPPING DOCUMENTS.exe	schtasks.exe
PID 1592 wrote to memory of 3964	1592	SHIPPING DOCUMENTS.exe	SHIPPING DOCUMENTS.exe
PID 1592 wrote to memory of 3964	1592	SHIPPING DOCUMENTS.exe	SHIPPING DOCUMENTS.exe
PID 1592 wrote to memory of 3964	1592	SHIPPING DOCUMENTS.exe	SHIPPING DOCUMENTS.exe
PID 1592 wrote to memory of 3964	1592	SHIPPING DOCUMENTS.exe	SHIPPING DOCUMENTS.exe
PID 1592 wrote to memory of 3964	1592	SHIPPING DOCUMENTS.exe	SHIPPING DOCUMENTS.exe
PID 1592 wrote to memory of 3964	1592	SHIPPING DOCUMENTS.exe	SHIPPING DOCUMENTS.exe
PID 1592 wrote to memory of 3964	1592	SHIPPING DOCUMENTS.exe	SHIPPING DOCUMENTS.exe
PID 1592 wrote to memory of 3964	1592	SHIPPING DOCUMENTS.exe	SHIPPING DOCUMENTS.exe

C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HSzKDkRLmV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B12.tmp"
2⤵
- Creates scheduled task(s)
PID:2796

C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
"{path}"
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SHIPPING DOCUMENTS.exe.log
MD5
ef140ef600b2463c9e7dbf064a104046

SHA1
c08fd1853877be95575ea2e860dd8cafef31f54c

SHA256
ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616

SHA512
bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7B12.tmp
MD5
846dec168d2b0d9d5a1eeace7e572eef

SHA1
4ffe117af3a0ea8db20c9da65a8bb89904a666c7

SHA256
2418994afce9e66d54fccb964b8952004065f447e83800ceb8928631c1f203e0

SHA512
37292d7c033232037c93434b4f092d2340cbe52752412b971e91b693e252aa59f9450b55129307343364c44aa2609e6c59912d52717478f7b051daf084449ba1

Download Submit
memory/2796-0-0x0000000000000000-mapping.dmp

Download
memory/3964-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3964-3-0x00000000004482AE-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads