agenttesla | a66773bfc5fe5cfabc1ba18edbf514246699d37ccaace2705a8f4c0ecb6ee8bd

General

Target

IMG11202070.bat.exe
Size

555KB
MD5

e12344e0c8ee8f3b4cc19f0e1260c82f
SHA1

a32766ade8753dfe51d55bdca9032f45358074ac
SHA256

a66773bfc5fe5cfabc1ba18edbf514246699d37ccaace2705a8f4c0ecb6ee8bd
SHA512

c68e455cb2a121e3a8b6d9aab76fa840c3aa36fac1eab119e7b95672ffbd15666ecfc02ce057099b853f0e253e1f12a7d1ed591aae09a1f8d74124872cc5a8e3

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.magicpharma.pt
Port:
587
Username:
[email protected]
Password:
Mc@1234

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.magicpharma.pt
Port:
587
Username:
[email protected]
Password:
Mc@1234

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3660-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral2/memory/3660-5-0x000000000044739E-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3704 set thread context of 3660	3704	IMG11202070.bat.exe	67

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3660	IMG11202070.bat.exe
3660	IMG11202070.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	IMG11202070.bat.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3704 wrote to memory of 3660	3704	IMG11202070.bat.exe	67
PID 3704 wrote to memory of 3660	3704	IMG11202070.bat.exe	67
PID 3704 wrote to memory of 3660	3704	IMG11202070.bat.exe	67
PID 3704 wrote to memory of 3660	3704	IMG11202070.bat.exe	67
PID 3704 wrote to memory of 3660	3704	IMG11202070.bat.exe	67
PID 3704 wrote to memory of 3660	3704	IMG11202070.bat.exe	67
PID 3704 wrote to memory of 3660	3704	IMG11202070.bat.exe	67
PID 3704 wrote to memory of 3660	3704	IMG11202070.bat.exe	67

C:\Users\Admin\AppData\Local\Temp\IMG11202070.bat.exe
"C:\Users\Admin\AppData\Local\Temp\IMG11202070.bat.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\Temp\IMG11202070.bat.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3660-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads