agenttesla | 799f02ac69cb8e3435d97aa0b13e5d0c53a926751bb5ae337cd3bb45d18d0752

General

Target

Scan_doc_inv_199830992.exe
Size

547KB
MD5

887d35132289eb2285cdbca3f6e63238
SHA1

5f4d8542f0d7a34d82587330f9b0aad495b62cd3
SHA256

799f02ac69cb8e3435d97aa0b13e5d0c53a926751bb5ae337cd3bb45d18d0752
SHA512

dd29bcfdfb668695262074dc60dac96faba1ea29142d75ebae35b105afa016507b7776112f0bedf610070f02b6e02e1d412e994a88735318b2b408bb321c30e7

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.knmbz.com
Port:
587
Username:
[email protected]
Password:
kJubHQs8

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1420-2-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1420-3-0x0000000000446A0E-mapping.dmp	family_agenttesla
behavioral1/memory/1420-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1420-5-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1044 set thread context of 1420	1044	Scan_doc_inv_199830992.exe	24

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1420	Scan_doc_inv_199830992.exe
1420	Scan_doc_inv_199830992.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	Scan_doc_inv_199830992.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1420	1044	Scan_doc_inv_199830992.exe	24
PID 1044 wrote to memory of 1420	1044	Scan_doc_inv_199830992.exe	24
PID 1044 wrote to memory of 1420	1044	Scan_doc_inv_199830992.exe	24
PID 1044 wrote to memory of 1420	1044	Scan_doc_inv_199830992.exe	24
PID 1044 wrote to memory of 1420	1044	Scan_doc_inv_199830992.exe	24
PID 1044 wrote to memory of 1420	1044	Scan_doc_inv_199830992.exe	24
PID 1044 wrote to memory of 1420	1044	Scan_doc_inv_199830992.exe	24
PID 1044 wrote to memory of 1420	1044	Scan_doc_inv_199830992.exe	24
PID 1044 wrote to memory of 1420	1044	Scan_doc_inv_199830992.exe	24

C:\Users\Admin\AppData\Local\Temp\Scan_doc_inv_199830992.exe
"C:\Users\Admin\AppData\Local\Temp\Scan_doc_inv_199830992.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\Scan_doc_inv_199830992.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1420-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1420-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1420-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing