agenttesla | 0dff04cbc66cf66ac737d135dea5f85bc6bcf08d274d14d544949951de56597c

General

Target

681378c431cd1552b31f712d5e98603f.exe
Size

439KB
MD5

681378c431cd1552b31f712d5e98603f
SHA1

d9a7241ed11cc4a797a560eb6d15c6e5b5421293
SHA256

0dff04cbc66cf66ac737d135dea5f85bc6bcf08d274d14d544949951de56597c
SHA512

95ddd8865dbf538f149857eb8f4dc46f6a2e82e743fdcad1b6a90197f5d56aba64332cc4659accf222250a2cd2758d0dccb04caa7c1ef3e94620edb29447db62

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
webmail.dragon-pack.com
Port:
587
Username:
lyna.hrd@dragon-pack.com
Password:
LYNAHRDt12

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/656-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/656-5-0x0000000000446D2E-mapping.dmp	family_agenttesla
behavioral1/memory/656-7-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/656-6-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

681378c431cd1552b31f712d5e98603f.exe

description pid process target process

PID 1324 set thread context of 656 1324 681378c431cd1552b31f712d5e98603f.exe 681378c431cd1552b31f712d5e98603f.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

108 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

681378c431cd1552b31f712d5e98603f.exe681378c431cd1552b31f712d5e98603f.exe

pid process

1324 681378c431cd1552b31f712d5e98603f.exe
656 681378c431cd1552b31f712d5e98603f.exe
656 681378c431cd1552b31f712d5e98603f.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

681378c431cd1552b31f712d5e98603f.exe681378c431cd1552b31f712d5e98603f.exe

description pid process

Token: SeDebugPrivilege 1324 681378c431cd1552b31f712d5e98603f.exe
Token: SeDebugPrivilege 656 681378c431cd1552b31f712d5e98603f.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

681378c431cd1552b31f712d5e98603f.exe

pid process

656 681378c431cd1552b31f712d5e98603f.exe

description	pid	process	target process
PID 1324 set thread context of 656	1324	681378c431cd1552b31f712d5e98603f.exe	681378c431cd1552b31f712d5e98603f.exe

pid	process
108	schtasks.exe

pid	process
1324	681378c431cd1552b31f712d5e98603f.exe
656	681378c431cd1552b31f712d5e98603f.exe
656	681378c431cd1552b31f712d5e98603f.exe

description	pid	process
Token: SeDebugPrivilege	1324	681378c431cd1552b31f712d5e98603f.exe
Token: SeDebugPrivilege	656	681378c431cd1552b31f712d5e98603f.exe

pid	process
656	681378c431cd1552b31f712d5e98603f.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

681378c431cd1552b31f712d5e98603f.exe

description	pid	process	target process
PID 1324 wrote to memory of 108	1324	681378c431cd1552b31f712d5e98603f.exe	schtasks.exe
PID 1324 wrote to memory of 108	1324	681378c431cd1552b31f712d5e98603f.exe	schtasks.exe
PID 1324 wrote to memory of 108	1324	681378c431cd1552b31f712d5e98603f.exe	schtasks.exe
PID 1324 wrote to memory of 108	1324	681378c431cd1552b31f712d5e98603f.exe	schtasks.exe
PID 1324 wrote to memory of 656	1324	681378c431cd1552b31f712d5e98603f.exe	681378c431cd1552b31f712d5e98603f.exe
PID 1324 wrote to memory of 656	1324	681378c431cd1552b31f712d5e98603f.exe	681378c431cd1552b31f712d5e98603f.exe
PID 1324 wrote to memory of 656	1324	681378c431cd1552b31f712d5e98603f.exe	681378c431cd1552b31f712d5e98603f.exe
PID 1324 wrote to memory of 656	1324	681378c431cd1552b31f712d5e98603f.exe	681378c431cd1552b31f712d5e98603f.exe
PID 1324 wrote to memory of 656	1324	681378c431cd1552b31f712d5e98603f.exe	681378c431cd1552b31f712d5e98603f.exe
PID 1324 wrote to memory of 656	1324	681378c431cd1552b31f712d5e98603f.exe	681378c431cd1552b31f712d5e98603f.exe
PID 1324 wrote to memory of 656	1324	681378c431cd1552b31f712d5e98603f.exe	681378c431cd1552b31f712d5e98603f.exe
PID 1324 wrote to memory of 656	1324	681378c431cd1552b31f712d5e98603f.exe	681378c431cd1552b31f712d5e98603f.exe
PID 1324 wrote to memory of 656	1324	681378c431cd1552b31f712d5e98603f.exe	681378c431cd1552b31f712d5e98603f.exe

C:\Users\Admin\AppData\Local\Temp\681378c431cd1552b31f712d5e98603f.exe
"C:\Users\Admin\AppData\Local\Temp\681378c431cd1552b31f712d5e98603f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VLcsak" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC2D1.tmp"
2⤵
- Creates scheduled task(s)
PID:108

C:\Users\Admin\AppData\Local\Temp\681378c431cd1552b31f712d5e98603f.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:656

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC2D1.tmp
MD5
6a8c733cf33eded39bcf3fe6b9b1f97a

SHA1
d6f9934e73c835b12c1ab946407da6462fb26be1

SHA256
8d2fb6c325aa0871692c6ffdbf8bf25b692123278e0ee86012be28d8b5c05ea3

SHA512
9289ebfb680bceb5be12a35d31fef5e8a6e891c4ff4860c41dbce0fff2f1a59b633c67059256f9c214123b0bb54e40b0f9845f681e3c1b227c66465d77237f25

Download Submit
memory/108-2-0x0000000000000000-mapping.dmp

Download
memory/656-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/656-5-0x0000000000446D2E-mapping.dmp

Download
memory/656-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/656-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1324-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads