agenttesla | 3dedd27d28463b27df577e2f0dad58c1a0f295dbbcb1f132eea1632080dc4508

General

Target

Original Inv_pdf.exe
Size

684KB
MD5

f576d36525a3fc0eb2db943f79f50dc2
SHA1

d5bbe2244b843982dc4e8ff33758668f3e667248
SHA256

3dedd27d28463b27df577e2f0dad58c1a0f295dbbcb1f132eea1632080dc4508
SHA512

450e0146e8dc442f31aae5f4ec831cb985ed9aa045f1a111a7ba1d981c6e03d1499c63c911479b1de92859762ef05530be43bd29753691580300fcf7ba3043e0

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.flood-protection.org
Port:
587
Username:
[email protected]
Password:
scott2424@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1784-3-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1784-4-0x0000000000446DFE-mapping.dmp	family_agenttesla
behavioral1/memory/1784-5-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1784-6-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 1784	1400	Original Inv_pdf.exe	26

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1400	Original Inv_pdf.exe
1400	Original Inv_pdf.exe
1400	Original Inv_pdf.exe
1784	Original Inv_pdf.exe
1784	Original Inv_pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	Original Inv_pdf.exe
Token: SeDebugPrivilege	1784	Original Inv_pdf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 1784	1400	Original Inv_pdf.exe	26
PID 1400 wrote to memory of 1784	1400	Original Inv_pdf.exe	26
PID 1400 wrote to memory of 1784	1400	Original Inv_pdf.exe	26
PID 1400 wrote to memory of 1784	1400	Original Inv_pdf.exe	26
PID 1400 wrote to memory of 1784	1400	Original Inv_pdf.exe	26
PID 1400 wrote to memory of 1784	1400	Original Inv_pdf.exe	26
PID 1400 wrote to memory of 1784	1400	Original Inv_pdf.exe	26
PID 1400 wrote to memory of 1784	1400	Original Inv_pdf.exe	26
PID 1400 wrote to memory of 1784	1400	Original Inv_pdf.exe	26

C:\Users\Admin\AppData\Local\Temp\Original Inv_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Original Inv_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\Original Inv_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Original Inv_pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1784-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1784-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1784-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing