agenttesla | e803f10811608ea8e2179185e8c334b22b71097e3a7ec5b56909e3779834ed9b

General

Target

doc.exe
Size

679KB
MD5

c1937217fef2842a39e32e44bc031a05
SHA1

f2a06669e006d5040a1c432b7338e0c2cc046456
SHA256

e803f10811608ea8e2179185e8c334b22b71097e3a7ec5b56909e3779834ed9b
SHA512

0a73042243d2f7958fb7187f65bd1cb8e4eb289bb1cecadbcb57ed0e95cc8da7a148efc179bea355bf7192afe440ce4f36dd2dbb886178b3e3a2cdbbb540a0b8

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.factosgroup.com
Port:
587
Username:
[email protected]
Password:
governor221

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1812-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1812-5-0x0000000000446CBE-mapping.dmp	family_agenttesla
behavioral1/memory/1812-8-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1812-7-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

AddInProcess32.exe

pid process

1812 AddInProcess32.exe
Loads dropped DLL 1 IoCs

Processes:

doc.exe

pid process

1152 doc.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

doc.exe

description pid process target process

PID 1152 set thread context of 1812 1152 doc.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

doc.exeAddInProcess32.exe

pid process

1152 doc.exe
1152 doc.exe
1152 doc.exe
1812 AddInProcess32.exe
1812 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

doc.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 1152 doc.exe
Token: SeDebugPrivilege 1812 AddInProcess32.exe

pid	process
1812	AddInProcess32.exe

pid	process
1152	doc.exe

description	pid	process	target process
PID 1152 set thread context of 1812	1152	doc.exe	AddInProcess32.exe

pid	process
1152	doc.exe
1152	doc.exe
1152	doc.exe
1812	AddInProcess32.exe
1812	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1152	doc.exe
Token: SeDebugPrivilege	1812	AddInProcess32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

doc.exe

description	pid	process	target process
PID 1152 wrote to memory of 1812	1152	doc.exe	AddInProcess32.exe
PID 1152 wrote to memory of 1812	1152	doc.exe	AddInProcess32.exe
PID 1152 wrote to memory of 1812	1152	doc.exe	AddInProcess32.exe
PID 1152 wrote to memory of 1812	1152	doc.exe	AddInProcess32.exe
PID 1152 wrote to memory of 1812	1152	doc.exe	AddInProcess32.exe
PID 1152 wrote to memory of 1812	1152	doc.exe	AddInProcess32.exe
PID 1152 wrote to memory of 1812	1152	doc.exe	AddInProcess32.exe
PID 1152 wrote to memory of 1812	1152	doc.exe	AddInProcess32.exe
PID 1152 wrote to memory of 1812	1152	doc.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\doc.exe
"C:\Users\Admin\AppData\Local\Temp\doc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
memory/1152-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1812-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1812-5-0x0000000000446CBE-mapping.dmp

Download
memory/1812-8-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1812-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing