agenttesla | 3dbaaa9208eb953264ccfd12378d6f0300a4a8e1a269d91de0e56ba2a22e63ef

General

Target

MV GREAT JIN QUOTATION GJN20ST-D026.exe
Size

557KB
MD5

d26eb4f7199bf49d1e401da3181255a3
SHA1

615ba7105a1b4859ac82ff4e63e865b8cbe30ef9
SHA256

3dbaaa9208eb953264ccfd12378d6f0300a4a8e1a269d91de0e56ba2a22e63ef
SHA512

9b0ba2e96bfdc472997349e92a8e9627e56da021b09c05b39b6d9c3b1c9d8e83a971a77f5b77e2460b49319b7cc3b070e7997786620cfc117c431d43116bee05

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
milllogs@ilserreno.com
Password:
iwuoha241@

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
milllogs@ilserreno.com
Password:
iwuoha241@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2780-0-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral2/memory/2780-1-0x0000000000447ABE-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MV GREAT JIN QUOTATION GJN20ST-D026.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsWhv = "C:\\Users\\Admin\\AppData\\Roaming\\DsWhv\\DsWhv.exe"	MV GREAT JIN QUOTATION GJN20ST-D026.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MV GREAT JIN QUOTATION GJN20ST-D026.exe

description	pid	process	target process
PID 3896 set thread context of 2780	3896	MV GREAT JIN QUOTATION GJN20ST-D026.exe	MV GREAT JIN QUOTATION GJN20ST-D026.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MV GREAT JIN QUOTATION GJN20ST-D026.exe

pid process

2780 MV GREAT JIN QUOTATION GJN20ST-D026.exe
2780 MV GREAT JIN QUOTATION GJN20ST-D026.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MV GREAT JIN QUOTATION GJN20ST-D026.exe

description pid process

Token: SeDebugPrivilege 2780 MV GREAT JIN QUOTATION GJN20ST-D026.exe

pid	process
2780	MV GREAT JIN QUOTATION GJN20ST-D026.exe
2780	MV GREAT JIN QUOTATION GJN20ST-D026.exe

description	pid	process
Token: SeDebugPrivilege	2780	MV GREAT JIN QUOTATION GJN20ST-D026.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

MV GREAT JIN QUOTATION GJN20ST-D026.exe

description	pid	process	target process
PID 3896 wrote to memory of 2780	3896	MV GREAT JIN QUOTATION GJN20ST-D026.exe	MV GREAT JIN QUOTATION GJN20ST-D026.exe
PID 3896 wrote to memory of 2780	3896	MV GREAT JIN QUOTATION GJN20ST-D026.exe	MV GREAT JIN QUOTATION GJN20ST-D026.exe
PID 3896 wrote to memory of 2780	3896	MV GREAT JIN QUOTATION GJN20ST-D026.exe	MV GREAT JIN QUOTATION GJN20ST-D026.exe
PID 3896 wrote to memory of 2780	3896	MV GREAT JIN QUOTATION GJN20ST-D026.exe	MV GREAT JIN QUOTATION GJN20ST-D026.exe
PID 3896 wrote to memory of 2780	3896	MV GREAT JIN QUOTATION GJN20ST-D026.exe	MV GREAT JIN QUOTATION GJN20ST-D026.exe
PID 3896 wrote to memory of 2780	3896	MV GREAT JIN QUOTATION GJN20ST-D026.exe	MV GREAT JIN QUOTATION GJN20ST-D026.exe
PID 3896 wrote to memory of 2780	3896	MV GREAT JIN QUOTATION GJN20ST-D026.exe	MV GREAT JIN QUOTATION GJN20ST-D026.exe
PID 3896 wrote to memory of 2780	3896	MV GREAT JIN QUOTATION GJN20ST-D026.exe	MV GREAT JIN QUOTATION GJN20ST-D026.exe

C:\Users\Admin\AppData\Local\Temp\MV GREAT JIN QUOTATION GJN20ST-D026.exe
"C:\Users\Admin\AppData\Local\Temp\MV GREAT JIN QUOTATION GJN20ST-D026.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3896

C:\Users\Admin\AppData\Local\Temp\MV GREAT JIN QUOTATION GJN20ST-D026.exe
"{path}"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MV GREAT JIN QUOTATION GJN20ST-D026.exe.log
MD5
3753b01eddc20f64178eaf3d55b5c146

SHA1
ca50665940eb8519e1df0c1f185fb72a271c2a66

SHA256
99096651b1d9b4a7562f56c8e42c06d1166f7f22a93816e2862317ada8154b37

SHA512
566366e651e94fab25454fb0199508cd62a64723137b32fbd5bee531110403d9194b9a4fc053740c571a69e820c1c72e48d65fc3a5410a22b6ae9d2e55508bf3

Download Submit
memory/2780-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2780-1-0x0000000000447ABE-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads