agenttesla | 50e017de70cd0bbf71b8f4e687d56b796cd355b38c30076c7769d8b0b8562449

General

Target

ejinewcrypt.exe
Size

713KB
MD5

13c7191ab2781a2d225665a4c1b23b17
SHA1

89d584fa1b31d8fc00c35fe73de89058dd79ec2c
SHA256

50e017de70cd0bbf71b8f4e687d56b796cd355b38c30076c7769d8b0b8562449
SHA512

96541683f67c11f33ce7f3c8674c84ef866c7c71558fab546a6c98662b59e1f012d36bfcec510897cb8d618ad74bb46489ba77f397e07ad6a952971be0df95d3

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.dogaseed.com
Port:
587
Username:
[email protected]
Password:
Doga_2017*

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1032-1-0x00000000004AE360-mapping.dmp	family_agenttesla
behavioral1/memory/1032-3-0x0000000000400000-0x00000000004B0000-memory.dmp	family_agenttesla
behavioral1/memory/1032-4-0x00000000004B0000-0x0000000000502000-memory.dmp	family_agenttesla
behavioral1/memory/1032-6-0x00000000002B0000-0x00000000002FC000-memory.dmp	family_agenttesla

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1032-0-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral1/memory/1032-2-0x0000000000400000-0x00000000004B0000-memory.dmp	upx
behavioral1/memory/1032-3-0x0000000000400000-0x00000000004B0000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\CFMBUF = "C:\\Users\\Admin\\AppData\\Roaming\\CFMBUF\\CFMBUF.exe"	ejinewcrypt.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 288 set thread context of 1032	288	ejinewcrypt.exe	24

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
288	ejinewcrypt.exe
1032	ejinewcrypt.exe
1032	ejinewcrypt.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
288	ejinewcrypt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	ejinewcrypt.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 1032	288	ejinewcrypt.exe	24
PID 288 wrote to memory of 1032	288	ejinewcrypt.exe	24
PID 288 wrote to memory of 1032	288	ejinewcrypt.exe	24
PID 288 wrote to memory of 1032	288	ejinewcrypt.exe	24
PID 1032 wrote to memory of 1084	1032	ejinewcrypt.exe	28
PID 1032 wrote to memory of 1084	1032	ejinewcrypt.exe	28
PID 1032 wrote to memory of 1084	1032	ejinewcrypt.exe	28
PID 1032 wrote to memory of 1084	1032	ejinewcrypt.exe	28

C:\Users\Admin\AppData\Local\Temp\ejinewcrypt.exe
"C:\Users\Admin\AppData\Local\Temp\ejinewcrypt.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:288
- C:\Users\Admin\AppData\Local\Temp\ejinewcrypt.exe
  "C:\Users\Admin\AppData\Local\Temp\ejinewcrypt.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" wlan show profile
    3⤵
    PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1032-2-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1032-3-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1032-4-0x00000000004B0000-0x0000000000502000-memory.dmp

Filesize
328KB

Download
memory/1032-5-0x0000000001ED2000-0x0000000001ED3000-memory.dmp

Filesize
4KB

Download
memory/1032-6-0x00000000002B0000-0x00000000002FC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing