agenttesla | fd05d0c54ccb0a7ac4c82e6ccf0c330c47de75c875e7f118e6f60e1ecf362183

General

Target

JUNE_PAYMENT_2020.exe
Size

937KB
MD5

b0a5d7723101d55d454e36bc7e712722
SHA1

42dc27db5970bae948e1077a8c47bf5b44b51ada
SHA256

fd05d0c54ccb0a7ac4c82e6ccf0c330c47de75c875e7f118e6f60e1ecf362183
SHA512

f29830b8aedc2ab08ed2ce3625001daa9cc4b8942ff6f4bfb8334c0f4a9c0f5f79f6d1bd6d7b39ee82cb155bb622a82a9493e524a004bfb85997737c1529173e

Score

10^/10

agenttesla keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
idahosa1248

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1044-1-0x00000000004A3010-mapping.dmp	family_agenttesla
behavioral1/memory/1044-3-0x0000000000400000-0x00000000004A5000-memory.dmp	family_agenttesla
behavioral1/memory/1044-4-0x0000000000350000-0x000000000039C000-memory.dmp	family_agenttesla
behavioral1/memory/1044-6-0x0000000000220000-0x0000000000267000-memory.dmp	family_agenttesla

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1044-0-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/1044-2-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral1/memory/1044-3-0x0000000000400000-0x00000000004A5000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 1044	2040	JUNE_PAYMENT_2020.exe	24

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2040	JUNE_PAYMENT_2020.exe
1044	JUNE_PAYMENT_2020.exe
1044	JUNE_PAYMENT_2020.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2040	JUNE_PAYMENT_2020.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	JUNE_PAYMENT_2020.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1044	2040	JUNE_PAYMENT_2020.exe	24
PID 2040 wrote to memory of 1044	2040	JUNE_PAYMENT_2020.exe	24
PID 2040 wrote to memory of 1044	2040	JUNE_PAYMENT_2020.exe	24
PID 2040 wrote to memory of 1044	2040	JUNE_PAYMENT_2020.exe	24

C:\Users\Admin\AppData\Local\Temp\JUNE_PAYMENT_2020.exe
"C:\Users\Admin\AppData\Local\Temp\JUNE_PAYMENT_2020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\JUNE_PAYMENT_2020.exe
  "C:\Users\Admin\AppData\Local\Temp\JUNE_PAYMENT_2020.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1044-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1044-2-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1044-3-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1044-4-0x0000000000350000-0x000000000039C000-memory.dmp

Filesize
304KB

Download
memory/1044-5-0x0000000001F22000-0x0000000001F23000-memory.dmp

Filesize
4KB

Download
memory/1044-6-0x0000000000220000-0x0000000000267000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing