agenttesla | 0f26ab1bbfe9ae635cc4c9bf3d463e35d001034282b2e2ca332e3ae39810832e

General

Target

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
Size

422KB
MD5

e7a7bb922d5be4368c8797458d72fc59
SHA1

f185cacea108376a9eebf558e1a7adef686e7534
SHA256

0f26ab1bbfe9ae635cc4c9bf3d463e35d001034282b2e2ca332e3ae39810832e
SHA512

a123a1e66be237c10ed1b2194e983693113e90525da496c51926d1bac1157a381a78f2c2ab5d1e9c22726d9bfed806d7bd6db470cb66d1ce5437c4f71c9a6e0b

Score

10^/10

persistence spyware keylogger trojan stealer agenttesla

Malware Config

Signatures

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\IYLZX5 = "C:\\Users\\Admin\\AppData\\Roaming\\IYLZX5\\IYLZX5.exe"	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	pid	process	target process
PID 1492 set thread context of 388	1492	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description pid process

Token: SeDebugPrivilege 388 USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

pid process

388 USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	pid	process
Token: SeDebugPrivilege	388	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exeUSD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

description	pid	process	target process
PID 1492 wrote to memory of 388	1492	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1492 wrote to memory of 388	1492	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1492 wrote to memory of 388	1492	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1492 wrote to memory of 388	1492	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1492 wrote to memory of 388	1492	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1492 wrote to memory of 388	1492	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1492 wrote to memory of 388	1492	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1492 wrote to memory of 388	1492	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 1492 wrote to memory of 388	1492	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
PID 388 wrote to memory of 1640	388	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe
PID 388 wrote to memory of 1640	388	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe
PID 388 wrote to memory of 1640	388	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe
PID 388 wrote to memory of 1640	388	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

pid	process
388	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
388	USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe

C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
"C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\USD TT SWIFT _679388 190617_2019-NLCIV000003576_ES146009_30309679.exe
"{path}"
2⤵
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:388

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
- Modifies service
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/388-1-0x000000000044CF0E-mapping.dmp

Download
memory/388-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/388-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1640-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads