agenttesla | 078acd1810907a12e002129c343b0c0a73f3e62de1b6eb3020942fca6fe2aee4

Analysis

max time kernel
146s
max time network
148s
platform
windows10_x64
resource
win10
submitted
25-07-2020 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Scan-Copy.exe
Size

409KB
MD5

a0c68f83eab0c7fc892546501c4b7a82
SHA1

51e71bfb9b19c00b188c6c549f6180ed1639940d
SHA256

078acd1810907a12e002129c343b0c0a73f3e62de1b6eb3020942fca6fe2aee4
SHA512

20b4d715f8892ca2ef2704c3172262cbd9b58ec83e8ff79053a7dc503b231a01e38c57feda3f3f4a53770d86f6cbce24b1cdd69ea3d52cdcbc26e554d3897ce9

Score

10^/10

spyware keylogger trojan stealer agenttesla

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
chukwudi123

Signatures

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4024	3888	Scan-Copy.exe	67
PID 3888 wrote to memory of 4024	3888	Scan-Copy.exe	67
PID 3888 wrote to memory of 4024	3888	Scan-Copy.exe	67
PID 3888 wrote to memory of 4080	3888	Scan-Copy.exe	68
PID 3888 wrote to memory of 4080	3888	Scan-Copy.exe	68
PID 3888 wrote to memory of 4080	3888	Scan-Copy.exe	68
PID 3888 wrote to memory of 4080	3888	Scan-Copy.exe	68
PID 3888 wrote to memory of 4080	3888	Scan-Copy.exe	68
PID 3888 wrote to memory of 4080	3888	Scan-Copy.exe	68
PID 3888 wrote to memory of 4080	3888	Scan-Copy.exe	68
PID 3888 wrote to memory of 4080	3888	Scan-Copy.exe	68

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	Scan-Copy.exe
Token: SeDebugPrivilege	4080	Scan-Copy.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3888	Scan-Copy.exe
3888	Scan-Copy.exe
4080	Scan-Copy.exe
4080	Scan-Copy.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3888 set thread context of 4080	3888	Scan-Copy.exe	68

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\Scan-Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Scan-Copy.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:3888
- C:\Users\Admin\AppData\Local\Temp\Scan-Copy.exe
  "{path}"
  2⤵
  PID:4024
- C:\Users\Admin\AppData\Local\Temp\Scan-Copy.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:4080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4080-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download