agenttesla | 029905c8789b5194e3f20a0a818bbd8922d113ce41ac880fe44f56d39b6a6356

General

Target

NewyorkUSA-hsbc - confirmation.exe
Size

484KB
MD5

24e4040b9a02c8cc8a96ac685cc15bd2
SHA1

1600fc7708ea4f7ca0f0d310362a8862700d1fdd
SHA256

029905c8789b5194e3f20a0a818bbd8922d113ce41ac880fe44f56d39b6a6356
SHA512

9e923595ffc60174755ce69216f57048ffadc3bd09b6dd628b916f202104154ce02d39b4710ae07a43267036b09f07741556f5a8d1b081c6c3e96b4111ae6d24

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.lctechs-engineering.com
Port:
587
Username:
[email protected]
Password:
0y~q4Y?~Yltr

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

resource	yara_rule
behavioral1/memory/320-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/320-5-0x0000000000446CDE-mapping.dmp	family_agenttesla
behavioral1/memory/320-6-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/320-7-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1428 set thread context of 320	1428	NewyorkUSA-hsbc - confirmation.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
320	NewyorkUSA-hsbc - confirmation.exe
320	NewyorkUSA-hsbc - confirmation.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	NewyorkUSA-hsbc - confirmation.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1760	1428	NewyorkUSA-hsbc - confirmation.exe	26
PID 1428 wrote to memory of 1760	1428	NewyorkUSA-hsbc - confirmation.exe	26
PID 1428 wrote to memory of 1760	1428	NewyorkUSA-hsbc - confirmation.exe	26
PID 1428 wrote to memory of 1760	1428	NewyorkUSA-hsbc - confirmation.exe	26
PID 1428 wrote to memory of 320	1428	NewyorkUSA-hsbc - confirmation.exe	28
PID 1428 wrote to memory of 320	1428	NewyorkUSA-hsbc - confirmation.exe	28
PID 1428 wrote to memory of 320	1428	NewyorkUSA-hsbc - confirmation.exe	28
PID 1428 wrote to memory of 320	1428	NewyorkUSA-hsbc - confirmation.exe	28
PID 1428 wrote to memory of 320	1428	NewyorkUSA-hsbc - confirmation.exe	28
PID 1428 wrote to memory of 320	1428	NewyorkUSA-hsbc - confirmation.exe	28
PID 1428 wrote to memory of 320	1428	NewyorkUSA-hsbc - confirmation.exe	28
PID 1428 wrote to memory of 320	1428	NewyorkUSA-hsbc - confirmation.exe	28
PID 1428 wrote to memory of 320	1428	NewyorkUSA-hsbc - confirmation.exe	28

C:\Users\Admin\AppData\Local\Temp\NewyorkUSA-hsbc - confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\NewyorkUSA-hsbc - confirmation.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HIDDgimHLoyFeF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp62C7.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\NewyorkUSA-hsbc - confirmation.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/320-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/320-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads