agenttesla | ee2a89fa1ed80e14eb7fc1a74780d480c574307d0d40aac90c22e8ab7d8b9332

General

Target

RFQ PO-05612020_pdf.exe
Size

351KB
MD5

1b752bcc97d601f051ee22881b4ae85c
SHA1

6a94e417c140c64bb2d45955eba08efe72cc89e5
SHA256

ee2a89fa1ed80e14eb7fc1a74780d480c574307d0d40aac90c22e8ab7d8b9332
SHA512

657f470688c9b4ba1756be778991fd7dec0ca18f24e1ef04686101461269d4c1a43107ee80e3ea646137ff4e8d33ae06b617f36736f9ef3170ce43552fe45868

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.anding-tw.com
Port:
587
Username:
[email protected]
Password:
7#Sjsj*ebT+2

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1820-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1820-5-0x00000000004471DE-mapping.dmp	family_agenttesla
behavioral1/memory/1820-6-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1820-7-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ PO-05612020_pdf.exe

description pid process target process

PID 1492 set thread context of 1820 1492 RFQ PO-05612020_pdf.exe RFQ PO-05612020_pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1908 schtasks.exe

description	pid	process	target process
PID 1492 set thread context of 1820	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe

pid	process
1908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

RFQ PO-05612020_pdf.exeRFQ PO-05612020_pdf.exe

pid	process
1492	RFQ PO-05612020_pdf.exe
1492	RFQ PO-05612020_pdf.exe
1492	RFQ PO-05612020_pdf.exe
1820	RFQ PO-05612020_pdf.exe
1820	RFQ PO-05612020_pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ PO-05612020_pdf.exeRFQ PO-05612020_pdf.exe

description pid process

Token: SeDebugPrivilege 1492 RFQ PO-05612020_pdf.exe
Token: SeDebugPrivilege 1820 RFQ PO-05612020_pdf.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RFQ PO-05612020_pdf.exe

pid process

1820 RFQ PO-05612020_pdf.exe

description	pid	process
Token: SeDebugPrivilege	1492	RFQ PO-05612020_pdf.exe
Token: SeDebugPrivilege	1820	RFQ PO-05612020_pdf.exe

pid	process
1820	RFQ PO-05612020_pdf.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

RFQ PO-05612020_pdf.exe

description	pid	process	target process
PID 1492 wrote to memory of 1908	1492	RFQ PO-05612020_pdf.exe	schtasks.exe
PID 1492 wrote to memory of 1908	1492	RFQ PO-05612020_pdf.exe	schtasks.exe
PID 1492 wrote to memory of 1908	1492	RFQ PO-05612020_pdf.exe	schtasks.exe
PID 1492 wrote to memory of 1908	1492	RFQ PO-05612020_pdf.exe	schtasks.exe
PID 1492 wrote to memory of 1916	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe
PID 1492 wrote to memory of 1916	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe
PID 1492 wrote to memory of 1916	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe
PID 1492 wrote to memory of 1916	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe
PID 1492 wrote to memory of 1820	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe
PID 1492 wrote to memory of 1820	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe
PID 1492 wrote to memory of 1820	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe
PID 1492 wrote to memory of 1820	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe
PID 1492 wrote to memory of 1820	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe
PID 1492 wrote to memory of 1820	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe
PID 1492 wrote to memory of 1820	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe
PID 1492 wrote to memory of 1820	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe
PID 1492 wrote to memory of 1820	1492	RFQ PO-05612020_pdf.exe	RFQ PO-05612020_pdf.exe

C:\Users\Admin\AppData\Local\Temp\RFQ PO-05612020_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ PO-05612020_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eigcTrcoftsfms" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFE4B.tmp"
2⤵
- Creates scheduled task(s)
PID:1908

C:\Users\Admin\AppData\Local\Temp\RFQ PO-05612020_pdf.exe
"{path}"
2⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\RFQ PO-05612020_pdf.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1820

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFE4B.tmp
MD5
179f61a5ac6f22944b6ecfcd9b71070a

SHA1
0856783d07afafb8fe4ffcb6083bbfb51fa7a890

SHA256
ec3e585877a31c01b5528507f1c1ec47f1db8c6ef38e50b71b228f1f51de17ee

SHA512
cfd22e7b9bc94f58b73eeb6bc1b4ca89a1928b186056222193f43081ff51ff6d81e72c56f1070cb646b52dc0354f6f590f99b4a1e9c62e46d6a78cb4b5fb84b8

Download Submit
memory/1492-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1820-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1820-5-0x00000000004471DE-mapping.dmp

Download
memory/1820-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1820-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1908-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads