agenttesla | ef4ae3267d280e27deddcafd021cf4d4ac90adab048cb271001a32a339b3b227

General

Target

Swift_Copy.exe
Size

681KB
MD5

e967bc00a6534da0f0655af644e7ee6d
SHA1

0cdeab62d10f6f511920993e72a3140acc06918f
SHA256

ef4ae3267d280e27deddcafd021cf4d4ac90adab048cb271001a32a339b3b227
SHA512

bcf5b45581b2f1d93ca814ba80c62f767338cebf0efbd4adb9bc6743fbb8ac49c85515dbd0853897cbba8e7b964ba0243c5c04ff4562eacdb3cc4b1df0bdbaa4

Score

10^/10

agenttesla keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
[email protected]
Password:
Blessing123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2092-3-0x0000000000400000-0x00000000004A4000-memory.dmp	family_agenttesla
behavioral2/memory/2092-4-0x00000000009F0000-0x0000000000A3C000-memory.dmp	family_agenttesla

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2092-0-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral2/memory/2092-2-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral2/memory/2092-3-0x0000000000400000-0x00000000004A4000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4004 set thread context of 2092	4004	Swift_Copy.exe	66

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4004	Swift_Copy.exe
4004	Swift_Copy.exe
2092	Swift_Copy.exe
2092	Swift_Copy.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4004	Swift_Copy.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	Swift_Copy.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 2092	4004	Swift_Copy.exe	66
PID 4004 wrote to memory of 2092	4004	Swift_Copy.exe	66
PID 4004 wrote to memory of 2092	4004	Swift_Copy.exe	66

C:\Users\Admin\AppData\Local\Temp\Swift_Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Swift_Copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\Swift_Copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Swift_Copy.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2092-0-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2092-2-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2092-3-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2092-4-0x00000000009F0000-0x0000000000A3C000-memory.dmp

Filesize
304KB

Download
memory/2092-5-0x0000000000532000-0x0000000000533000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing