agenttesla | 76273b9a9b644e29ab62e389963e01a38af1882e7173afd9179ef487327e92a3

General

Target

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
Size

577KB
MD5

ead08001bcb9fa496a221b48fe428325
SHA1

d71a1a02ec57f3d72ce83dd7cf19ae6cde279450
SHA256

76273b9a9b644e29ab62e389963e01a38af1882e7173afd9179ef487327e92a3
SHA512

01df41873d19c450b026d51d872ffbd7180063f9c54ed06770f06a0986d0d125d4943f4c1efe85c646ffc2faabc4429e2404b528c975e4f2af205effabb262c5

Score

10^/10

persistence spyware keylogger trojan stealer agenttesla

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.rebu.co.rw
Port:
21
Username:
[email protected]
Password:
o^Z0CIU?^yL2

Signatures

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3896	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
3896	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 3896	976	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	67
PID 976 wrote to memory of 3896	976	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	67
PID 976 wrote to memory of 3896	976	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	67
PID 976 wrote to memory of 3896	976	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	67
PID 976 wrote to memory of 3896	976	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	67
PID 976 wrote to memory of 3896	976	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	67
PID 976 wrote to memory of 3896	976	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	67
PID 976 wrote to memory of 3896	976	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	67
PID 3896 wrote to memory of 1068	3896	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	75
PID 3896 wrote to memory of 1068	3896	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	75
PID 3896 wrote to memory of 1068	3896	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	75

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 976 set thread context of 3896	976	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	67

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3896	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3896	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\IYLZX5 = "C:\\Users\\Admin\\AppData\\Roaming\\IYLZX5\\IYLZX5.exe"	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
"C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:976
- C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Adds Run entry to start application
  PID:3896
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" wlan show profile
    3⤵
    PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3896-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing