agenttesla | cd6b21ec1d160de963ffb891b3a41b8c4c33eaee4458523108b9df1eafdabd4b

General

Target

Copy of items needed.exe
Size

483KB
MD5

ba217edfb5b42263b608a85d5c98f242
SHA1

66377a61f38ba4846548919f194883199858f05b
SHA256

cd6b21ec1d160de963ffb891b3a41b8c4c33eaee4458523108b9df1eafdabd4b
SHA512

917281b0e464ae61af79a026518348c2c97efe172f5fdfa009f5ea10af66e78a735539fcb09e905b1ee9b02689cd14c8cc5ab5a160fddcc0c6d16577c4eaa6c1

Score

10^/10

keylogger stealer spyware trojan agenttesla

Malware Config

Signatures

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Copy of items needed.exeCopy of items needed.exe

pid process

1688 Copy of items needed.exe
1688 Copy of items needed.exe
1840 Copy of items needed.exe
1840 Copy of items needed.exe

pid	process
1688	Copy of items needed.exe
1688	Copy of items needed.exe
1840	Copy of items needed.exe
1840	Copy of items needed.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Copy of items needed.exe

description	pid	process	target process
PID 1688 wrote to memory of 1840	1688	Copy of items needed.exe	Copy of items needed.exe
PID 1688 wrote to memory of 1840	1688	Copy of items needed.exe	Copy of items needed.exe
PID 1688 wrote to memory of 1840	1688	Copy of items needed.exe	Copy of items needed.exe
PID 1688 wrote to memory of 1840	1688	Copy of items needed.exe	Copy of items needed.exe
PID 1688 wrote to memory of 1840	1688	Copy of items needed.exe	Copy of items needed.exe
PID 1688 wrote to memory of 1840	1688	Copy of items needed.exe	Copy of items needed.exe
PID 1688 wrote to memory of 1840	1688	Copy of items needed.exe	Copy of items needed.exe
PID 1688 wrote to memory of 1840	1688	Copy of items needed.exe	Copy of items needed.exe
PID 1688 wrote to memory of 1840	1688	Copy of items needed.exe	Copy of items needed.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Copy of items needed.exe

description pid process target process

PID 1688 set thread context of 1840 1688 Copy of items needed.exe Copy of items needed.exe

description	pid	process	target process
PID 1688 set thread context of 1840	1688	Copy of items needed.exe	Copy of items needed.exe

AgentTesla Payload 7 IoCs

keylogger stealer

Processes:

resource	yara_rule
behavioral1/memory/1840-1-0x0000000000400000-0x000000000044C000-memory.dmp	agent_tesla
behavioral1/memory/1840-1-0x0000000000400000-0x000000000044C000-memory.dmp	agent_tesla
behavioral1/memory/1840-2-0x000000000044714E-mapping.dmp	agent_tesla
behavioral1/memory/1840-3-0x0000000000400000-0x000000000044C000-memory.dmp	agent_tesla
behavioral1/memory/1840-3-0x0000000000400000-0x000000000044C000-memory.dmp	agent_tesla
behavioral1/memory/1840-4-0x0000000000400000-0x000000000044C000-memory.dmp	agent_tesla
behavioral1/memory/1840-4-0x0000000000400000-0x000000000044C000-memory.dmp	agent_tesla

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Copy of items needed.exeCopy of items needed.exe

description pid process

Token: SeDebugPrivilege 1688 Copy of items needed.exe
Token: SeDebugPrivilege 1840 Copy of items needed.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

description	pid	process
Token: SeDebugPrivilege	1688	Copy of items needed.exe
Token: SeDebugPrivilege	1840	Copy of items needed.exe

C:\Users\Admin\AppData\Local\Temp\Copy of items needed.exe
"C:\Users\Admin\AppData\Local\Temp\Copy of items needed.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Users\Admin\AppData\Local\Temp\Copy of items needed.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1840-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1840-2-0x000000000044714E-mapping.dmp

Download
memory/1840-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1840-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing