agenttesla | 4f975bf5421b35152c4408ad831df3d1bac81e684ad15bd1e3209a987cf9c01a

Analysis

max time kernel
90s
max time network
116s
platform
windows10_x64
resource
win10
submitted
07-07-2020 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Order.exe
Size

452KB
MD5

74adf498c96c634627cc0a4e6fe08710
SHA1

46c86e64e6d92f475ba1b04fbde7a67aeeccf7cb
SHA256

4f975bf5421b35152c4408ad831df3d1bac81e684ad15bd1e3209a987cf9c01a
SHA512

750e99195dee7a7327af30732655e449858a83bdaf8f91cb7f3a3b226186e78b315145d7953e9646f3dbd6692abe21abde6b03027d4b3207d122a8e4ed4719ae

Score

10^/10

spyware keylogger trojan stealer agenttesla

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
ikem123456789

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

New Order.exe

description	pid	process	target process
PID 3588 wrote to memory of 3260	3588	New Order.exe	New Order.exe
PID 3588 wrote to memory of 3260	3588	New Order.exe	New Order.exe
PID 3588 wrote to memory of 3260	3588	New Order.exe	New Order.exe
PID 3588 wrote to memory of 3260	3588	New Order.exe	New Order.exe
PID 3588 wrote to memory of 3260	3588	New Order.exe	New Order.exe
PID 3588 wrote to memory of 3260	3588	New Order.exe	New Order.exe
PID 3588 wrote to memory of 3260	3588	New Order.exe	New Order.exe
PID 3588 wrote to memory of 3260	3588	New Order.exe	New Order.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

New Order.exe

description pid process target process

PID 3588 set thread context of 3260 3588 New Order.exe New Order.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

New Order.exe

description pid process

Token: SeDebugPrivilege 3260 New Order.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

New Order.exe

pid process

3260 New Order.exe
3260 New Order.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 3588 set thread context of 3260	3588	New Order.exe	New Order.exe

description	pid	process
Token: SeDebugPrivilege	3260	New Order.exe

pid	process
3260	New Order.exe
3260	New Order.exe

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3588

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\New Order.exe.log

Download Submit
memory/3260-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3260-1-0x0000000000446DFE-mapping.dmp

Download