agenttesla | 4e5cc3f28cf9632f68aa78ddd345d24c94a632b9f23ef9f7d2c08474ed986e6b

General

Target

Facturas Pagadas al Vencimiento.exe
Size

413KB
MD5

faca034a45fdbc634640407863813829
SHA1

54d5e82cbd22f0de3e637d48b663517b0a42574e
SHA256

4e5cc3f28cf9632f68aa78ddd345d24c94a632b9f23ef9f7d2c08474ed986e6b
SHA512

c583a8e933eff9991dfec830954648597a58667859a8a0c91f7bfdc4ba0598b67b9b48f6b98cd8d40f4c0a92354cf9b936dde6df1822b04d8bf1116e7b2c3ad8

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.jjfconsultores.com
Port:
587
Username:
jjfconsultores@jjfconsultores.com
Password:
primapolitica

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.jjfconsultores.com
Port:
587
Username:
jjfconsultores@jjfconsultores.com
Password:
primapolitica

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2576-0-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral2/memory/2576-1-0x000000000044732E-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Facturas Pagadas al Vencimiento.exe

description pid process target process

PID 3608 set thread context of 2576 3608 Facturas Pagadas al Vencimiento.exe Facturas Pagadas al Vencimiento.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Facturas Pagadas al Vencimiento.exe

pid process

2576 Facturas Pagadas al Vencimiento.exe
2576 Facturas Pagadas al Vencimiento.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Facturas Pagadas al Vencimiento.exe

description pid process

Token: SeDebugPrivilege 2576 Facturas Pagadas al Vencimiento.exe

description	pid	process	target process
PID 3608 set thread context of 2576	3608	Facturas Pagadas al Vencimiento.exe	Facturas Pagadas al Vencimiento.exe

pid	process
2576	Facturas Pagadas al Vencimiento.exe
2576	Facturas Pagadas al Vencimiento.exe

description	pid	process
Token: SeDebugPrivilege	2576	Facturas Pagadas al Vencimiento.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Facturas Pagadas al Vencimiento.exe

description	pid	process	target process
PID 3608 wrote to memory of 2576	3608	Facturas Pagadas al Vencimiento.exe	Facturas Pagadas al Vencimiento.exe
PID 3608 wrote to memory of 2576	3608	Facturas Pagadas al Vencimiento.exe	Facturas Pagadas al Vencimiento.exe
PID 3608 wrote to memory of 2576	3608	Facturas Pagadas al Vencimiento.exe	Facturas Pagadas al Vencimiento.exe
PID 3608 wrote to memory of 2576	3608	Facturas Pagadas al Vencimiento.exe	Facturas Pagadas al Vencimiento.exe
PID 3608 wrote to memory of 2576	3608	Facturas Pagadas al Vencimiento.exe	Facturas Pagadas al Vencimiento.exe
PID 3608 wrote to memory of 2576	3608	Facturas Pagadas al Vencimiento.exe	Facturas Pagadas al Vencimiento.exe
PID 3608 wrote to memory of 2576	3608	Facturas Pagadas al Vencimiento.exe	Facturas Pagadas al Vencimiento.exe
PID 3608 wrote to memory of 2576	3608	Facturas Pagadas al Vencimiento.exe	Facturas Pagadas al Vencimiento.exe

C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas al Vencimiento.exe
"C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas al Vencimiento.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3608

C:\Users\Admin\AppData\Local\Temp\Facturas Pagadas al Vencimiento.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Facturas Pagadas al Vencimiento.exe.log
MD5
3753b01eddc20f64178eaf3d55b5c146

SHA1
ca50665940eb8519e1df0c1f185fb72a271c2a66

SHA256
99096651b1d9b4a7562f56c8e42c06d1166f7f22a93816e2862317ada8154b37

SHA512
566366e651e94fab25454fb0199508cd62a64723137b32fbd5bee531110403d9194b9a4fc053740c571a69e820c1c72e48d65fc3a5410a22b6ae9d2e55508bf3

Download Submit
memory/2576-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2576-1-0x000000000044732E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads