agenttesla | 66bb65619121b9636dd4c02d3573055922b22e0c55ea1ad093d4b2759bf8118e

General

Target

Order NFH.exe
Size

716KB
MD5

e1cd9d71092938389c62ff3cb04f3e21
SHA1

4efb32358f982807fe65236ffd73417f8d29f6fd
SHA256

66bb65619121b9636dd4c02d3573055922b22e0c55ea1ad093d4b2759bf8118e
SHA512

37ae4d6ac8a6022517db42550b43c492f778e1613da04221426844de46c0f7be0544cb4bc14fee841d0a6efc60f98454c5a0c15033834eecdfd5e9d47bc1f680

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
webmail.mantenimientosymontajes.com
Port:
587
Username:
[email protected]
Password:
gnx1470

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1028-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1028-5-0x000000000044742E-mapping.dmp	family_agenttesla
behavioral1/memory/1028-7-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1028-8-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

RegAsm.exe

pid process

1028 RegAsm.exe
Loads dropped DLL 2 IoCs

Processes:

Order NFH.exeRegAsm.exe

pid process

1492 Order NFH.exe
1028 RegAsm.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Order NFH.exe

description pid process target process

PID 1492 set thread context of 1028 1492 Order NFH.exe RegAsm.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Order NFH.exeRegAsm.exe

pid process

1492 Order NFH.exe
1492 Order NFH.exe
1492 Order NFH.exe
1028 RegAsm.exe
1028 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order NFH.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1492 Order NFH.exe
Token: SeDebugPrivilege 1028 RegAsm.exe

pid	process
1028	RegAsm.exe

pid	process
1492	Order NFH.exe
1028	RegAsm.exe

description	pid	process	target process
PID 1492 set thread context of 1028	1492	Order NFH.exe	RegAsm.exe

pid	process
1492	Order NFH.exe
1492	Order NFH.exe
1492	Order NFH.exe
1028	RegAsm.exe
1028	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1492	Order NFH.exe
Token: SeDebugPrivilege	1028	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Order NFH.exe

description	pid	process	target process
PID 1492 wrote to memory of 1028	1492	Order NFH.exe	RegAsm.exe
PID 1492 wrote to memory of 1028	1492	Order NFH.exe	RegAsm.exe
PID 1492 wrote to memory of 1028	1492	Order NFH.exe	RegAsm.exe
PID 1492 wrote to memory of 1028	1492	Order NFH.exe	RegAsm.exe
PID 1492 wrote to memory of 1028	1492	Order NFH.exe	RegAsm.exe
PID 1492 wrote to memory of 1028	1492	Order NFH.exe	RegAsm.exe
PID 1492 wrote to memory of 1028	1492	Order NFH.exe	RegAsm.exe
PID 1492 wrote to memory of 1028	1492	Order NFH.exe	RegAsm.exe
PID 1492 wrote to memory of 1028	1492	Order NFH.exe	RegAsm.exe
PID 1492 wrote to memory of 1028	1492	Order NFH.exe	RegAsm.exe
PID 1492 wrote to memory of 1028	1492	Order NFH.exe	RegAsm.exe
PID 1492 wrote to memory of 1028	1492	Order NFH.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Order NFH.exe
"C:\Users\Admin\AppData\Local\Temp\Order NFH.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1028-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1028-5-0x000000000044742E-mapping.dmp

Download
memory/1028-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1028-8-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1492-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download

Analysis

Sharing