agenttesla | f62f3cde15b3f736af8a87f8999149eb5e8ada35513883b56dc120db3781b20f

General

Target

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
Size

424KB
MD5

b588e0837e623179249b67cd2e82777c
SHA1

633eb25d1e555088518d4a04db5ea2cc9cef09a6
SHA256

f62f3cde15b3f736af8a87f8999149eb5e8ada35513883b56dc120db3781b20f
SHA512

1d43c46ef672abf38cc72067635e20b1360bad8a013fb9cfd1a42558d1b2b4725eb0ef953dea396832acced8aeaae2b58a4de6da89d12e7cd2b210f77e3baafb

Score

10^/10

persistence spyware keylogger trojan stealer agenttesla

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	pid	process	target process
PID 1496 set thread context of 1824	1496	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description pid process

Token: SeDebugPrivilege 1824 USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	pid	process
Token: SeDebugPrivilege	1824	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

pid	process
1824	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
1824	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exeUSD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	pid	process	target process
PID 1496 wrote to memory of 1824	1496	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1496 wrote to memory of 1824	1496	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1496 wrote to memory of 1824	1496	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1496 wrote to memory of 1824	1496	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1496 wrote to memory of 1824	1496	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1496 wrote to memory of 1824	1496	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1496 wrote to memory of 1824	1496	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1496 wrote to memory of 1824	1496	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1496 wrote to memory of 1824	1496	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1824 wrote to memory of 1596	1824	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe
PID 1824 wrote to memory of 1596	1824	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe
PID 1824 wrote to memory of 1596	1824	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe
PID 1824 wrote to memory of 1596	1824	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

pid process

1824 USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\IYLZX5 = "C:\\Users\\Admin\\AppData\\Roaming\\IYLZX5\\IYLZX5.exe"	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
"C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Adds Run entry to start application
PID:1824

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
- Modifies service
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-4-0x0000000000000000-mapping.dmp

Download
memory/1824-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1824-1-0x000000000044CF0E-mapping.dmp

Download
memory/1824-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1824-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads