agenttesla | 76273b9a9b644e29ab62e389963e01a38af1882e7173afd9179ef487327e92a3

General

Target

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
Size

577KB
MD5

ead08001bcb9fa496a221b48fe428325
SHA1

d71a1a02ec57f3d72ce83dd7cf19ae6cde279450
SHA256

76273b9a9b644e29ab62e389963e01a38af1882e7173afd9179ef487327e92a3
SHA512

01df41873d19c450b026d51d872ffbd7180063f9c54ed06770f06a0986d0d125d4943f4c1efe85c646ffc2faabc4429e2404b528c975e4f2af205effabb262c5

Score

10^/10

persistence spyware keylogger trojan stealer agenttesla

Malware Config

Signatures

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exeUSD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	pid	process	target process
PID 1296 wrote to memory of 1676	1296	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1296 wrote to memory of 1676	1296	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1296 wrote to memory of 1676	1296	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1296 wrote to memory of 1676	1296	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1296 wrote to memory of 1676	1296	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1296 wrote to memory of 1676	1296	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1296 wrote to memory of 1676	1296	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1296 wrote to memory of 1676	1296	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1296 wrote to memory of 1676	1296	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1676 wrote to memory of 548	1676	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe
PID 1676 wrote to memory of 548	1676	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe
PID 1676 wrote to memory of 548	1676	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe
PID 1676 wrote to memory of 548	1676	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\IYLZX5 = "C:\\Users\\Admin\\AppData\\Roaming\\IYLZX5\\IYLZX5.exe"	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	pid	process	target process
PID 1296 set thread context of 1676	1296	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description pid process

Token: SeDebugPrivilege 1676 USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	pid	process
Token: SeDebugPrivilege	1676	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

pid	process
1676	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
1676	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

pid process

1676 USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
"C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1296

C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
- Modifies service
PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-4-0x0000000000000000-mapping.dmp

Download
memory/1676-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1676-1-0x000000000044CF0E-mapping.dmp

Download
memory/1676-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1676-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads