agenttesla | 59e51498dc405d419b015e54bc0b183c3a81371835cc3ae4f1f1418f9619f2f4

General

Target

Payment Copy_Bank Note_PDF.exe
Size

388KB
MD5

564497b4dd4f071cec6aff95925f2399
SHA1

1450df447e589ad7f92d73a362dd4d6f57b51a40
SHA256

59e51498dc405d419b015e54bc0b183c3a81371835cc3ae4f1f1418f9619f2f4
SHA512

e4d19465466c038e3e86762e72a5e274fbb5dd513034300778b3a76bab793dc40c4702015765a9db6b31c296c7112e63cfef5f3ed9b7b89a4f8c959356b3c57e

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
blessing2020

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1844-2-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1844-3-0x000000000044690E-mapping.dmp	family_agenttesla
behavioral1/memory/1844-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1844-5-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 1844	1500	Payment Copy_Bank Note_PDF.exe	26

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1844	Payment Copy_Bank Note_PDF.exe
1844	Payment Copy_Bank Note_PDF.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	Payment Copy_Bank Note_PDF.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1844	1500	Payment Copy_Bank Note_PDF.exe	26
PID 1500 wrote to memory of 1844	1500	Payment Copy_Bank Note_PDF.exe	26
PID 1500 wrote to memory of 1844	1500	Payment Copy_Bank Note_PDF.exe	26
PID 1500 wrote to memory of 1844	1500	Payment Copy_Bank Note_PDF.exe	26
PID 1500 wrote to memory of 1844	1500	Payment Copy_Bank Note_PDF.exe	26
PID 1500 wrote to memory of 1844	1500	Payment Copy_Bank Note_PDF.exe	26
PID 1500 wrote to memory of 1844	1500	Payment Copy_Bank Note_PDF.exe	26
PID 1500 wrote to memory of 1844	1500	Payment Copy_Bank Note_PDF.exe	26
PID 1500 wrote to memory of 1844	1500	Payment Copy_Bank Note_PDF.exe	26

C:\Users\Admin\AppData\Local\Temp\Payment Copy_Bank Note_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Payment Copy_Bank Note_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\Payment Copy_Bank Note_PDF.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1844-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1844-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1844-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing