agenttesla | f7ca5b06b736c007b2dfea70bcb1cba8d3b243bc040813e367b13b927d44cbfc

General

Target

SWIFT-59300 EUR-17072020.exe
Size

680KB
MD5

188fd2e1bf755663652b48b41e3f467c
SHA1

6b90ad2f776caad562ca529c8e70681335ea4b5c
SHA256

f7ca5b06b736c007b2dfea70bcb1cba8d3b243bc040813e367b13b927d44cbfc
SHA512

314e48e2637d573083d8864c2f3dcafa8b66c1b7ad4e13c418f18ad77fa6ed74601e71aa93fa400efb1b58db8641bede32747baae2451552a640a804cfb1f86d

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.baslog.rs
Port:
587
Username:
[email protected]
Password:
baslog8745

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1800-4-0x000000000044AB0E-mapping.dmp	family_agenttesla
behavioral1/memory/1800-5-0x0000000000080000-0x00000000000D0000-memory.dmp	family_agenttesla
behavioral1/memory/1800-6-0x0000000000080000-0x00000000000D0000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 900 set thread context of 1800	900	SWIFT-59300 EUR-17072020.exe	24

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
900	SWIFT-59300 EUR-17072020.exe
900	SWIFT-59300 EUR-17072020.exe
900	SWIFT-59300 EUR-17072020.exe
1800	SWIFT-59300 EUR-17072020.exe
1800	SWIFT-59300 EUR-17072020.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1800	SWIFT-59300 EUR-17072020.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	SWIFT-59300 EUR-17072020.exe
Token: SeDebugPrivilege	1800	SWIFT-59300 EUR-17072020.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1800	900	SWIFT-59300 EUR-17072020.exe	24
PID 900 wrote to memory of 1800	900	SWIFT-59300 EUR-17072020.exe	24
PID 900 wrote to memory of 1800	900	SWIFT-59300 EUR-17072020.exe	24
PID 900 wrote to memory of 1800	900	SWIFT-59300 EUR-17072020.exe	24
PID 900 wrote to memory of 1800	900	SWIFT-59300 EUR-17072020.exe	24
PID 900 wrote to memory of 1800	900	SWIFT-59300 EUR-17072020.exe	24
PID 900 wrote to memory of 1800	900	SWIFT-59300 EUR-17072020.exe	24
PID 900 wrote to memory of 1800	900	SWIFT-59300 EUR-17072020.exe	24
PID 900 wrote to memory of 1800	900	SWIFT-59300 EUR-17072020.exe	24

C:\Users\Admin\AppData\Local\Temp\SWIFT-59300 EUR-17072020.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT-59300 EUR-17072020.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\SWIFT-59300 EUR-17072020.exe
  "C:\Users\Admin\AppData\Local\Temp\SWIFT-59300 EUR-17072020.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1800-5-0x0000000000080000-0x00000000000D0000-memory.dmp

Filesize
320KB

Download
memory/1800-6-0x0000000000080000-0x00000000000D0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing