agenttesla | 7a3c761d105aebdfc06ce56ef43ba47d374ba81cc1d64d5380054cccbd92bd57

General

Target

5555555000000000.exe
Size

739KB
MD5

4dd6e8b706a8b9b1c9d79ae68aa2162a
SHA1

ea7b82c7e32ebbaaf52e2a646f33643cba26c189
SHA256

7a3c761d105aebdfc06ce56ef43ba47d374ba81cc1d64d5380054cccbd92bd57
SHA512

52698478ccca80480d51d7163d3581d366372801ca67978d0233b1f13db158a4d47aa3699727e0f7b65e5b9c3de6d177052beac69d91b4e2e8ec4309e42a079f

Score

10^/10

agenttesla keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.sensar-light.com
Port:
587
Username:
[email protected]
Password:
505012345@@@@@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

resource	yara_rule
behavioral2/memory/1276-3-0x0000000000400000-0x00000000004A5000-memory.dmp	family_agenttesla
behavioral2/memory/1276-4-0x0000000000980000-0x00000000009CC000-memory.dmp	family_agenttesla

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1276-0-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/1276-2-0x0000000000400000-0x00000000004A5000-memory.dmp	upx
behavioral2/memory/1276-3-0x0000000000400000-0x00000000004A5000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 664 set thread context of 1276	664	5555555000000000.exe	68

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
664	5555555000000000.exe
664	5555555000000000.exe
1276	5555555000000000.exe
1276	5555555000000000.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
664	5555555000000000.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1276	5555555000000000.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 1276	664	5555555000000000.exe	68
PID 664 wrote to memory of 1276	664	5555555000000000.exe	68
PID 664 wrote to memory of 1276	664	5555555000000000.exe	68

C:\Users\Admin\AppData\Local\Temp\5555555000000000.exe
"C:\Users\Admin\AppData\Local\Temp\5555555000000000.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:664
- C:\Users\Admin\AppData\Local\Temp\5555555000000000.exe
  "C:\Users\Admin\AppData\Local\Temp\5555555000000000.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-0-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1276-2-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1276-3-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1276-4-0x0000000000980000-0x00000000009CC000-memory.dmp

Filesize
304KB

Download
memory/1276-5-0x0000000000A62000-0x0000000000A63000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing