agenttesla | 60ecae13c61f3b052a60c0937095f8b485ab10be58502c6bfbf4bec59f4e35ed

General

Target

RFQ_MD662H_PO-783837.exe
Size

589KB
MD5

f607f0ce8f8d6b58da6e8fe681bb8674
SHA1

fbe64f8fc5795dc7b0ea7551e0900f799ac16d27
SHA256

60ecae13c61f3b052a60c0937095f8b485ab10be58502c6bfbf4bec59f4e35ed
SHA512

6e96c369dccc9f8dd41948883aa8a98f7528bc112bb86eb2e60bd276d4b39980a999feaee63eb601352fcee67aae80f8cfccdb8747f0fb6a7bcec07340209a33

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.edgeict.com
Port:
587
Username:
[email protected]
Password:
sales-1209

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

resource	yara_rule
behavioral1/memory/912-2-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/912-3-0x000000000044729E-mapping.dmp	family_agenttesla
behavioral1/memory/912-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/912-5-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 912	1108	RFQ_MD662H_PO-783837.exe	24

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1108	RFQ_MD662H_PO-783837.exe
912	RFQ_MD662H_PO-783837.exe
912	RFQ_MD662H_PO-783837.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	RFQ_MD662H_PO-783837.exe
Token: SeDebugPrivilege	912	RFQ_MD662H_PO-783837.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 912	1108	RFQ_MD662H_PO-783837.exe	24
PID 1108 wrote to memory of 912	1108	RFQ_MD662H_PO-783837.exe	24
PID 1108 wrote to memory of 912	1108	RFQ_MD662H_PO-783837.exe	24
PID 1108 wrote to memory of 912	1108	RFQ_MD662H_PO-783837.exe	24
PID 1108 wrote to memory of 912	1108	RFQ_MD662H_PO-783837.exe	24
PID 1108 wrote to memory of 912	1108	RFQ_MD662H_PO-783837.exe	24
PID 1108 wrote to memory of 912	1108	RFQ_MD662H_PO-783837.exe	24
PID 1108 wrote to memory of 912	1108	RFQ_MD662H_PO-783837.exe	24
PID 1108 wrote to memory of 912	1108	RFQ_MD662H_PO-783837.exe	24

C:\Users\Admin\AppData\Local\Temp\RFQ_MD662H_PO-783837.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_MD662H_PO-783837.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\RFQ_MD662H_PO-783837.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/912-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/912-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing