agenttesla | cf83e8ceb458dc6b06d83463d76155d9cfbab7a7cc7432e14892470a3e0a2590

General

Target

Shipping Docments.exe
Size

415KB
MD5

264251a5c111ba36e7ae5b75033e064a
SHA1

0b2125badde35f7d6355832dfd87ef74de583293
SHA256

cf83e8ceb458dc6b06d83463d76155d9cfbab7a7cc7432e14892470a3e0a2590
SHA512

bffe527f86b169a3c80ee545e299689da8318b78513a53f99646eadd63f62d34e7f5bfe0616e9c9cac1fd05c3641f48347ca00788d023903963758ae347cb9d0

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.saharanepal.coop.np
Port:
587
Username:
sijuwa@saharanepal.coop.np
Password:
sijuwa@sahara

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.saharanepal.coop.np
Port:
587
Username:
sijuwa@saharanepal.coop.np
Password:
sijuwa@sahara

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3960-2-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla
behavioral2/memory/3960-3-0x000000000044A6BE-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Shipping Docments.exe

description pid process target process

PID 1820 set thread context of 3960 1820 Shipping Docments.exe Shipping Docments.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2520 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Shipping Docments.exe

pid process

3960 Shipping Docments.exe
3960 Shipping Docments.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Shipping Docments.exe

description pid process

Token: SeDebugPrivilege 3960 Shipping Docments.exe

description	pid	process	target process
PID 1820 set thread context of 3960	1820	Shipping Docments.exe	Shipping Docments.exe

pid	process
2520	schtasks.exe

pid	process
3960	Shipping Docments.exe
3960	Shipping Docments.exe

description	pid	process
Token: SeDebugPrivilege	3960	Shipping Docments.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Shipping Docments.exe

description	pid	process	target process
PID 1820 wrote to memory of 2520	1820	Shipping Docments.exe	schtasks.exe
PID 1820 wrote to memory of 2520	1820	Shipping Docments.exe	schtasks.exe
PID 1820 wrote to memory of 2520	1820	Shipping Docments.exe	schtasks.exe
PID 1820 wrote to memory of 3960	1820	Shipping Docments.exe	Shipping Docments.exe
PID 1820 wrote to memory of 3960	1820	Shipping Docments.exe	Shipping Docments.exe
PID 1820 wrote to memory of 3960	1820	Shipping Docments.exe	Shipping Docments.exe
PID 1820 wrote to memory of 3960	1820	Shipping Docments.exe	Shipping Docments.exe
PID 1820 wrote to memory of 3960	1820	Shipping Docments.exe	Shipping Docments.exe
PID 1820 wrote to memory of 3960	1820	Shipping Docments.exe	Shipping Docments.exe
PID 1820 wrote to memory of 3960	1820	Shipping Docments.exe	Shipping Docments.exe
PID 1820 wrote to memory of 3960	1820	Shipping Docments.exe	Shipping Docments.exe

C:\Users\Admin\AppData\Local\Temp\Shipping Docments.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Docments.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KxrgVNXkAkSND" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9FFF.tmp"
2⤵
- Creates scheduled task(s)
PID:2520

C:\Users\Admin\AppData\Local\Temp\Shipping Docments.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Shipping Docments.exe.log
MD5
3753b01eddc20f64178eaf3d55b5c146

SHA1
ca50665940eb8519e1df0c1f185fb72a271c2a66

SHA256
99096651b1d9b4a7562f56c8e42c06d1166f7f22a93816e2862317ada8154b37

SHA512
566366e651e94fab25454fb0199508cd62a64723137b32fbd5bee531110403d9194b9a4fc053740c571a69e820c1c72e48d65fc3a5410a22b6ae9d2e55508bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9FFF.tmp
MD5
a1cf2fbccfcd71286bddb8c829d6cc23

SHA1
53497d54f362676236e905e529258f917632a293

SHA256
a25914b6c8c0f9e5a45ced45db58afe0e36c67a116fc6d507df983667338ca85

SHA512
32a20c3ca67c33470c211560507ad78b1e6cbbac43ba7d0f8f296f1a5754605a6a2141c579d583917f653dc7a99e241749f9d3224eaccd6a04dd846dab10c47f

Download Submit
memory/2520-0-0x0000000000000000-mapping.dmp

Download
memory/3960-2-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3960-3-0x000000000044A6BE-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads