agenttesla | fd05d0c54ccb0a7ac4c82e6ccf0c330c47de75c875e7f118e6f60e1ecf362183

General

Target

JUNE_PAYMENT_2020.exe
Size

937KB
MD5

b0a5d7723101d55d454e36bc7e712722
SHA1

42dc27db5970bae948e1077a8c47bf5b44b51ada
SHA256

fd05d0c54ccb0a7ac4c82e6ccf0c330c47de75c875e7f118e6f60e1ecf362183
SHA512

f29830b8aedc2ab08ed2ce3625001daa9cc4b8942ff6f4bfb8334c0f4a9c0f5f79f6d1bd6d7b39ee82cb155bb622a82a9493e524a004bfb85997737c1529173e

Score

10^/10

agenttesla keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
idahosa1248

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2092-3-0x0000000000400000-0x00000000004A5000-memory.dmp	family_agenttesla
behavioral2/memory/2092-4-0x00000000009B0000-0x00000000009FC000-memory.dmp	family_agenttesla

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2092-0-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/2092-2-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/2092-3-0x0000000000400000-0x00000000004A5000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4004 set thread context of 2092	4004	JUNE_PAYMENT_2020.exe	66

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4004	JUNE_PAYMENT_2020.exe
4004	JUNE_PAYMENT_2020.exe
2092	JUNE_PAYMENT_2020.exe
2092	JUNE_PAYMENT_2020.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4004	JUNE_PAYMENT_2020.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	JUNE_PAYMENT_2020.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 2092	4004	JUNE_PAYMENT_2020.exe	66
PID 4004 wrote to memory of 2092	4004	JUNE_PAYMENT_2020.exe	66
PID 4004 wrote to memory of 2092	4004	JUNE_PAYMENT_2020.exe	66

C:\Users\Admin\AppData\Local\Temp\JUNE_PAYMENT_2020.exe
"C:\Users\Admin\AppData\Local\Temp\JUNE_PAYMENT_2020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\JUNE_PAYMENT_2020.exe
  "C:\Users\Admin\AppData\Local\Temp\JUNE_PAYMENT_2020.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2092-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2092-2-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2092-3-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/2092-4-0x00000000009B0000-0x00000000009FC000-memory.dmp

Filesize
304KB

Download
memory/2092-5-0x00000000023D2000-0x00000000023D3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing