agenttesla | 2e6c9cf68a8bcca1eb368038a06f47566eb7fd3eb6ea6919bcbd293dbadf1e11

General

Target

Order-No 20200708 pdf.exe
Size

741KB
MD5

96be544435702043037ddad6334cbb89
SHA1

46a4fc933f172d345bb5f4727eb6ae92dbdf6c54
SHA256

2e6c9cf68a8bcca1eb368038a06f47566eb7fd3eb6ea6919bcbd293dbadf1e11
SHA512

358a655ecafb05919f153651ca4addeb692f8a3011b1800ef47fda9a7e916c7bbebefaa883ad3d2b3a8037715362b246d380c1c2c2b00e4e413071652104c4db

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.sbcglebal.net
Port:
587
Username:
[email protected]
Password:
vNPkSoy1

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1856-2-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1856-3-0x0000000000446F9E-mapping.dmp	family_agenttesla
behavioral1/memory/1856-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1856-5-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1516 set thread context of 1856	1516	Order-No 20200708 pdf.exe	24

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1856	Order-No 20200708 pdf.exe
1856	Order-No 20200708 pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	Order-No 20200708 pdf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1856	Order-No 20200708 pdf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 1856	1516	Order-No 20200708 pdf.exe	24
PID 1516 wrote to memory of 1856	1516	Order-No 20200708 pdf.exe	24
PID 1516 wrote to memory of 1856	1516	Order-No 20200708 pdf.exe	24
PID 1516 wrote to memory of 1856	1516	Order-No 20200708 pdf.exe	24
PID 1516 wrote to memory of 1856	1516	Order-No 20200708 pdf.exe	24
PID 1516 wrote to memory of 1856	1516	Order-No 20200708 pdf.exe	24
PID 1516 wrote to memory of 1856	1516	Order-No 20200708 pdf.exe	24
PID 1516 wrote to memory of 1856	1516	Order-No 20200708 pdf.exe	24
PID 1516 wrote to memory of 1856	1516	Order-No 20200708 pdf.exe	24

C:\Users\Admin\AppData\Local\Temp\Order-No 20200708 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Order-No 20200708 pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\Order-No 20200708 pdf.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1856-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1856-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1856-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing