agenttesla | 0fc60e6149afb0a4a187d8d2d593a8939460ee688ca36091a825489e0d1ed399

General

Target

TNT SHIPPING DETAILS _PDF.exe
Size

675KB
MD5

efbbd5d71522c6ab7d04d2d0fc8bc7aa
SHA1

2c0f38fc16252921f730b1fc3689e26a60e2b6e8
SHA256

0fc60e6149afb0a4a187d8d2d593a8939460ee688ca36091a825489e0d1ed399
SHA512

5b3e82e75b14a1be8982eb59a118a6218a873c2eed619335abf48be4605d47dfd5e5d09b85a26252cda6931bfd25e8f030f63ef995f80dc7a46d85017da8d0c8

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.perfectholidaysborneo.com
Port:
587
Username:
[email protected]
Password:
p@2016apple

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1448-4-0x000000000044CD5E-mapping.dmp	family_agenttesla
behavioral1/memory/1448-5-0x0000000000080000-0x00000000000D2000-memory.dmp	family_agenttesla
behavioral1/memory/1448-6-0x0000000000080000-0x00000000000D2000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

TNT SHIPPING DETAILS _PDF.exe

description pid process target process

PID 1088 set thread context of 1448 1088 TNT SHIPPING DETAILS _PDF.exe TNT SHIPPING DETAILS _PDF.exe

description	pid	process	target process
PID 1088 set thread context of 1448	1088	TNT SHIPPING DETAILS _PDF.exe	TNT SHIPPING DETAILS _PDF.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

TNT SHIPPING DETAILS _PDF.exeTNT SHIPPING DETAILS _PDF.exe

pid	process
1088	TNT SHIPPING DETAILS _PDF.exe
1088	TNT SHIPPING DETAILS _PDF.exe
1088	TNT SHIPPING DETAILS _PDF.exe
1448	TNT SHIPPING DETAILS _PDF.exe
1448	TNT SHIPPING DETAILS _PDF.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TNT SHIPPING DETAILS _PDF.exeTNT SHIPPING DETAILS _PDF.exe

description pid process

Token: SeDebugPrivilege 1088 TNT SHIPPING DETAILS _PDF.exe
Token: SeDebugPrivilege 1448 TNT SHIPPING DETAILS _PDF.exe

description	pid	process
Token: SeDebugPrivilege	1088	TNT SHIPPING DETAILS _PDF.exe
Token: SeDebugPrivilege	1448	TNT SHIPPING DETAILS _PDF.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

TNT SHIPPING DETAILS _PDF.exeTNT SHIPPING DETAILS _PDF.exe

description	pid	process	target process
PID 1088 wrote to memory of 1448	1088	TNT SHIPPING DETAILS _PDF.exe	TNT SHIPPING DETAILS _PDF.exe
PID 1088 wrote to memory of 1448	1088	TNT SHIPPING DETAILS _PDF.exe	TNT SHIPPING DETAILS _PDF.exe
PID 1088 wrote to memory of 1448	1088	TNT SHIPPING DETAILS _PDF.exe	TNT SHIPPING DETAILS _PDF.exe
PID 1088 wrote to memory of 1448	1088	TNT SHIPPING DETAILS _PDF.exe	TNT SHIPPING DETAILS _PDF.exe
PID 1088 wrote to memory of 1448	1088	TNT SHIPPING DETAILS _PDF.exe	TNT SHIPPING DETAILS _PDF.exe
PID 1088 wrote to memory of 1448	1088	TNT SHIPPING DETAILS _PDF.exe	TNT SHIPPING DETAILS _PDF.exe
PID 1088 wrote to memory of 1448	1088	TNT SHIPPING DETAILS _PDF.exe	TNT SHIPPING DETAILS _PDF.exe
PID 1088 wrote to memory of 1448	1088	TNT SHIPPING DETAILS _PDF.exe	TNT SHIPPING DETAILS _PDF.exe
PID 1088 wrote to memory of 1448	1088	TNT SHIPPING DETAILS _PDF.exe	TNT SHIPPING DETAILS _PDF.exe
PID 1448 wrote to memory of 1664	1448	TNT SHIPPING DETAILS _PDF.exe	netsh.exe
PID 1448 wrote to memory of 1664	1448	TNT SHIPPING DETAILS _PDF.exe	netsh.exe
PID 1448 wrote to memory of 1664	1448	TNT SHIPPING DETAILS _PDF.exe	netsh.exe
PID 1448 wrote to memory of 1664	1448	TNT SHIPPING DETAILS _PDF.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\TNT SHIPPING DETAILS _PDF.exe
"C:\Users\Admin\AppData\Local\Temp\TNT SHIPPING DETAILS _PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\TNT SHIPPING DETAILS _PDF.exe
"C:\Users\Admin\AppData\Local\Temp\TNT SHIPPING DETAILS _PDF.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:1664

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1448-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1448-4-0x000000000044CD5E-mapping.dmp

Download
memory/1448-5-0x0000000000080000-0x00000000000D2000-memory.dmp

Filesize
328KB

Download
memory/1448-6-0x0000000000080000-0x00000000000D2000-memory.dmp

Filesize
328KB

Download
memory/1664-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads