agenttesla | a56855064cde16356d60565bc667ae8450e8604f66b6c30dfe94c97703e36a96

General

Target

RFQ.pdf.exe
Size

1.1MB
MD5

40ebf8bb674b984b2485616e70581f47
SHA1

9459e7e5c22744f79477aa0aeea03d628bfb9cc3
SHA256

a56855064cde16356d60565bc667ae8450e8604f66b6c30dfe94c97703e36a96
SHA512

f0a88a5ef1de7bdb76bcf92699e1c6e484adbd4e4642ce705cb5f923feaa3965f5d4be7f52c7a9cec219a4ebe27eb83f62882ebcf066d2cd7ac28c55654a989f

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
[email protected]
Password:
kingmoney12345

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

resource	yara_rule
behavioral1/memory/1508-2-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1508-3-0x0000000000446DDE-mapping.dmp	family_agenttesla
behavioral1/memory/1508-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1508-5-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1124 set thread context of 1508	1124	RFQ.pdf.exe	24

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1508	RFQ.pdf.exe
1508	RFQ.pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	RFQ.pdf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1508	RFQ.pdf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1508	1124	RFQ.pdf.exe	24
PID 1124 wrote to memory of 1508	1124	RFQ.pdf.exe	24
PID 1124 wrote to memory of 1508	1124	RFQ.pdf.exe	24
PID 1124 wrote to memory of 1508	1124	RFQ.pdf.exe	24
PID 1124 wrote to memory of 1508	1124	RFQ.pdf.exe	24
PID 1124 wrote to memory of 1508	1124	RFQ.pdf.exe	24
PID 1124 wrote to memory of 1508	1124	RFQ.pdf.exe	24
PID 1124 wrote to memory of 1508	1124	RFQ.pdf.exe	24
PID 1124 wrote to memory of 1508	1124	RFQ.pdf.exe	24

C:\Users\Admin\AppData\Local\Temp\RFQ.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\RFQ.pdf.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1508-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1508-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing