agenttesla | 8b9a55b92c1ec972a8105740919d99c5b4fabac2b927759d993bd1d13cf4946b

Analysis

max time kernel
117s
max time network
143s
platform
windows10_x64
resource
win10
submitted
08-07-2020 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO.exe
Size

376KB
MD5

84133be5dc2ce3c5db50c09794746749
SHA1

197076af033cda5e0ac539b3dd5d0113677dba7f
SHA256

8b9a55b92c1ec972a8105740919d99c5b4fabac2b927759d993bd1d13cf4946b
SHA512

020a4d8a8522c4b9b0be63ac5d29fae3a9549d2423afbd22b99b76ac66d2ffe6f8d714cf6f82445726ca44ca9e9e1e84b35979cd6243e6aa8b8a42a84f871cff

Score

10^/10

spyware keylogger trojan stealer agenttesla

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.visgring.com
Port:
587
Username:
[email protected]
Password:
uqtQpAv1

Signatures

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

PO.exe

description	pid	process	target process
PID 3608 wrote to memory of 4004	3608	PO.exe	PO.exe
PID 3608 wrote to memory of 4004	3608	PO.exe	PO.exe
PID 3608 wrote to memory of 4004	3608	PO.exe	PO.exe
PID 3608 wrote to memory of 4004	3608	PO.exe	PO.exe
PID 3608 wrote to memory of 4004	3608	PO.exe	PO.exe
PID 3608 wrote to memory of 4004	3608	PO.exe	PO.exe
PID 3608 wrote to memory of 4004	3608	PO.exe	PO.exe
PID 3608 wrote to memory of 4004	3608	PO.exe	PO.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO.exe

description pid process target process

PID 3608 set thread context of 4004 3608 PO.exe PO.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PO.exe

description pid process

Token: SeDebugPrivilege 4004 PO.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

PO.exe

pid process

4004 PO.exe
4004 PO.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 3608 set thread context of 4004	3608	PO.exe	PO.exe

description	pid	process
Token: SeDebugPrivilege	4004	PO.exe

pid	process
4004	PO.exe
4004	PO.exe

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3608

C:\Users\Admin\AppData\Local\Temp\PO.exe
"C:\Users\Admin\AppData\Local\Temp\PO.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\PO.exe.log

Download Submit
memory/4004-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4004-1-0x000000000044695E-mapping.dmp

Download