agenttesla | aed428639ef8418476a13687beed0c54fd48a8d89ca0d9a669439b31d93ca779

General

Target

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
Size

407KB
MD5

c62ae892f460e763bb27fefeb4299f73
SHA1

a0c9b5cab3d8d85221711c55542138eeb40df1db
SHA256

aed428639ef8418476a13687beed0c54fd48a8d89ca0d9a669439b31d93ca779
SHA512

036054a5fdab9dee7eae84eb11b87c9201e3d4c1ba0425d92599ec32e61d6a5b227d73b444e8514eb5421b4c5120af1da6d7ebe0dd30c4110a1720a57a1f024a

Score

10^/10

persistence spyware keylogger trojan stealer agenttesla

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	pid	process	target process
PID 1500 set thread context of 1792	1500	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description pid process

Token: SeDebugPrivilege 1792 USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

description	pid	process
Token: SeDebugPrivilege	1792	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exeUSD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	pid	process	target process
PID 1500 wrote to memory of 1792	1500	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1500 wrote to memory of 1792	1500	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1500 wrote to memory of 1792	1500	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1500 wrote to memory of 1792	1500	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1500 wrote to memory of 1792	1500	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1500 wrote to memory of 1792	1500	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1500 wrote to memory of 1792	1500	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1500 wrote to memory of 1792	1500	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1500 wrote to memory of 1792	1500	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1792 wrote to memory of 1156	1792	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe
PID 1792 wrote to memory of 1156	1792	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe
PID 1792 wrote to memory of 1156	1792	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe
PID 1792 wrote to memory of 1156	1792	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

pid	process
1792	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
1792	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

pid process

1792 USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\IYLZX5 = "C:\\Users\\Admin\\AppData\\Roaming\\IYLZX5\\IYLZX5.exe"	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
"C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Adds Run entry to start application
PID:1792

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
- Modifies service
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1156-4-0x0000000000000000-mapping.dmp

Download
memory/1792-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1792-1-0x000000000044CF0E-mapping.dmp

Download
memory/1792-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1792-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads