agenttesla | 7926de68f0148fa153c0419a0f5ef355f14f705ced4485fea5ce745b3b6c29b8

General

Target

PO copy.pdf.exe
Size

727KB
MD5

4ddacd69b1dde544b039737f3407bb3d
SHA1

3d3ab5401a5342eb1db769044158c3b689ddbf1e
SHA256

7926de68f0148fa153c0419a0f5ef355f14f705ced4485fea5ce745b3b6c29b8
SHA512

391e24dfcbb753f48e392f7b768c161f2dd12f1bb8e7169126c6a55bf7d5eedfb22268f7e01aba54a3fc702f7f20b665a3862c64d4e1b21f61651b69c260ee2e

Score

10^/10

agenttesla keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.sensar-light.com
Port:
587
Username:
[email protected]
Password:
505012345@@@@@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1104-3-0x0000000000400000-0x00000000004A4000-memory.dmp	family_agenttesla
behavioral1/memory/1104-4-0x0000000000300000-0x000000000034C000-memory.dmp	family_agenttesla
behavioral1/memory/1104-6-0x0000000000220000-0x0000000000266000-memory.dmp	family_agenttesla

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1104-0-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/1104-2-0x0000000000400000-0x00000000004A4000-memory.dmp	upx
behavioral1/memory/1104-3-0x0000000000400000-0x00000000004A4000-memory.dmp	upx

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 616 set thread context of 1104	616	PO copy.pdf.exe	24

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
616	PO copy.pdf.exe
1104	PO copy.pdf.exe
1104	PO copy.pdf.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
616	PO copy.pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	PO copy.pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 1104	616	PO copy.pdf.exe	24
PID 616 wrote to memory of 1104	616	PO copy.pdf.exe	24
PID 616 wrote to memory of 1104	616	PO copy.pdf.exe	24
PID 616 wrote to memory of 1104	616	PO copy.pdf.exe	24

C:\Users\Admin\AppData\Local\Temp\PO copy.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO copy.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:616
- C:\Users\Admin\AppData\Local\Temp\PO copy.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\PO copy.pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1104-0-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1104-2-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1104-3-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/1104-4-0x0000000000300000-0x000000000034C000-memory.dmp

Filesize
304KB

Download
memory/1104-5-0x0000000001E62000-0x0000000001E63000-memory.dmp

Filesize
4KB

Download
memory/1104-6-0x0000000000220000-0x0000000000266000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing