agenttesla | 5c376e5e14153f9b1e81f8dce785eba1e46ebfc0e8aa00d91fadddea406d79f3

General

Target

ETA_Bill of lading.exe
Size

687KB
MD5

46e35f5892e7f9f37c24929048e8f9a7
SHA1

878391fdd08399c9a23bfc923a5f3e6fb3b9a59f
SHA256

5c376e5e14153f9b1e81f8dce785eba1e46ebfc0e8aa00d91fadddea406d79f3
SHA512

25f993d762f96bfe5b254041c15f1c2a3ccdaeb95df0d2452981e6d8962bfe0e94bd6f9ab7aefd93af9d32e9f6aa0271450ae33fd2ed24de528e8420e9e93834

Score

10^/10

upx spyware keylogger trojan stealer agenttesla

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
ikechukwu112

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 2996	3588	ETA_Bill of lading.exe	67
PID 3588 wrote to memory of 2996	3588	ETA_Bill of lading.exe	67
PID 3588 wrote to memory of 2996	3588	ETA_Bill of lading.exe	67

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3588	ETA_Bill of lading.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3588 set thread context of 2996	3588	ETA_Bill of lading.exe	67

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	ETA_Bill of lading.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3588	ETA_Bill of lading.exe
3588	ETA_Bill of lading.exe
2996	ETA_Bill of lading.exe
2996	ETA_Bill of lading.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2996-0-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral2/memory/2996-2-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral2/memory/2996-3-0x0000000000400000-0x00000000004A4000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\ETA_Bill of lading.exe
"C:\Users\Admin\AppData\Local\Temp\ETA_Bill of lading.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3588
- C:\Users\Admin\AppData\Local\Temp\ETA_Bill of lading.exe
  "C:\Users\Admin\AppData\Local\Temp\ETA_Bill of lading.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:2996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2996-0-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2996-2-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2996-3-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2996-4-0x0000000002170000-0x00000000021BC000-memory.dmp

Filesize
304KB

Download
memory/2996-5-0x00000000022C2000-0x00000000022C3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing