agenttesla | a7a7aab77c51aa47002d095884315b579779d134a893ec6270b4e2ea83bfc921

General

Target

Ref scan_07_020.exe
Size

933KB
MD5

36d9a9a7eb556afd4cd1e68dfb408d57
SHA1

c66c2ae7e13d7690e2e9ab9d3eb44dc3085def77
SHA256

a7a7aab77c51aa47002d095884315b579779d134a893ec6270b4e2ea83bfc921
SHA512

f33b952512ae96788bb7af3eb495d435a4ec5ee63da6c7fca62ebf4862287f82a5f7685244b665ad303cb901ba84140130d9f96b6788cf5c999d276d8482665c

Score

10^/10

keylogger trojan stealer spyware agenttesla

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Godwin@1234

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3544	Ref scan_07_020.exe
3544	Ref scan_07_020.exe
3028	Ref scan_07_020.exe
3028	Ref scan_07_020.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3544	Ref scan_07_020.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	Ref scan_07_020.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3028-0-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral2/memory/3028-2-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral2/memory/3028-3-0x0000000000400000-0x00000000004A4000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 3028	3544	Ref scan_07_020.exe	67
PID 3544 wrote to memory of 3028	3544	Ref scan_07_020.exe	67
PID 3544 wrote to memory of 3028	3544	Ref scan_07_020.exe	67

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3544 set thread context of 3028	3544	Ref scan_07_020.exe	67

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\Ref scan_07_020.exe
"C:\Users\Admin\AppData\Local\Temp\Ref scan_07_020.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3544
- C:\Users\Admin\AppData\Local\Temp\Ref scan_07_020.exe
  "C:\Users\Admin\AppData\Local\Temp\Ref scan_07_020.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3028-0-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3028-2-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3028-3-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3028-4-0x00000000021B0000-0x00000000021FC000-memory.dmp

Filesize
304KB

Download
memory/3028-5-0x00000000021A2000-0x00000000021A3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing