agenttesla | 345f849a0cfc012229e71b4c53ff148b9cadaecd692f624f917e35dfed7f820b

General

Target

Revised PO# 453924.exe
Size

775KB
MD5

9943384ae07ee24b27111dcfa3ad3f28
SHA1

d05c756801a33f30c8c8c54c2513590a7ae56e97
SHA256

345f849a0cfc012229e71b4c53ff148b9cadaecd692f624f917e35dfed7f820b
SHA512

6a1944d0807e2646a4909a16d0ab9fce1d4cc74a1d90e7485172600580a83157bed1941929808b2dbfabfa7e90007ea4624d61af406326682a3a1f9244863176

Score

10^/10

persistence spyware keylogger trojan stealer agenttesla

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.hk-gruop-sg.com
Port:
587
Username:
[email protected]
Password:
YERuFGp7

Signatures

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Revised PO# 453924.exe

pid process

3180 Revised PO# 453924.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Revised PO# 453924.exe

description pid process target process

PID 3180 set thread context of 3932 3180 Revised PO# 453924.exe Revised PO# 453924.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

Revised PO# 453924.exe

pid process

3932 Revised PO# 453924.exe

pid	process
3180	Revised PO# 453924.exe

description	pid	process	target process
PID 3180 set thread context of 3932	3180	Revised PO# 453924.exe	Revised PO# 453924.exe

pid	process
3932	Revised PO# 453924.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/3932-0-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral2/memory/3932-2-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral2/memory/3932-3-0x0000000000400000-0x00000000004A4000-memory.dmp	upx

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Revised PO# 453924.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\newApp = "C:\\Users\\Admin\\AppData\\Roaming\\newApp\\newApp.exe"	Revised PO# 453924.exe

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Revised PO# 453924.exeRevised PO# 453924.exe

pid process

3180 Revised PO# 453924.exe
3180 Revised PO# 453924.exe
3932 Revised PO# 453924.exe
3932 Revised PO# 453924.exe

pid	process
3180	Revised PO# 453924.exe
3180	Revised PO# 453924.exe
3932	Revised PO# 453924.exe
3932	Revised PO# 453924.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Revised PO# 453924.exe

description	pid	process	target process
PID 3180 wrote to memory of 3932	3180	Revised PO# 453924.exe	Revised PO# 453924.exe
PID 3180 wrote to memory of 3932	3180	Revised PO# 453924.exe	Revised PO# 453924.exe
PID 3180 wrote to memory of 3932	3180	Revised PO# 453924.exe	Revised PO# 453924.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Revised PO# 453924.exe

description pid process

Token: SeDebugPrivilege 3932 Revised PO# 453924.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process
Token: SeDebugPrivilege	3932	Revised PO# 453924.exe

C:\Users\Admin\AppData\Local\Temp\Revised PO# 453924.exe
"C:\Users\Admin\AppData\Local\Temp\Revised PO# 453924.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\Temp\Revised PO# 453924.exe
"C:\Users\Admin\AppData\Local\Temp\Revised PO# 453924.exe"
2⤵
- Suspicious behavior: RenamesItself
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3932-0-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3932-1-0x00000000004A27B0-mapping.dmp

Download
memory/3932-2-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3932-3-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3932-4-0x0000000002170000-0x00000000021BC000-memory.dmp

Filesize
304KB

Download
memory/3932-5-0x00000000021E2000-0x00000000021E3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads