agenttesla | 320d8e5b7e793a621dd6abf947dc9f04051e25473e1b9fe7da90cf161bf24112

General

Target

Scan-Copy.exe
Size

529KB
MD5

e69da1196ecfd94f4fe6a86a23aae8c0
SHA1

f15ecfdc801b7b957dc9697ca7643e7ebf05383f
SHA256

320d8e5b7e793a621dd6abf947dc9f04051e25473e1b9fe7da90cf161bf24112
SHA512

e796b9ff2536fe68b828a2ff14c5d8712efc99421e8db5c065e99d1cd3e9a46df8429d78c16b535bafda9c1df72505951ecce7721480647f795db1e8abdc576d

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
chuk5anderson@yandex.ru
Password:
chukwudi123

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
chuk5anderson@yandex.ru
Password:
chukwudi123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/188-3-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/188-4-0x0000000000449E3E-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Scan-Copy.exe

description pid process target process

PID 3408 set thread context of 188 3408 Scan-Copy.exe Scan-Copy.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Scan-Copy.exe

pid process

188 Scan-Copy.exe
188 Scan-Copy.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Scan-Copy.exeScan-Copy.exe

description pid process

Token: SeDebugPrivilege 3408 Scan-Copy.exe
Token: SeDebugPrivilege 188 Scan-Copy.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Scan-Copy.exe

pid process

3408 Scan-Copy.exe
3408 Scan-Copy.exe

description	pid	process	target process
PID 3408 set thread context of 188	3408	Scan-Copy.exe	Scan-Copy.exe

pid	process
188	Scan-Copy.exe
188	Scan-Copy.exe

description	pid	process
Token: SeDebugPrivilege	3408	Scan-Copy.exe
Token: SeDebugPrivilege	188	Scan-Copy.exe

pid	process
3408	Scan-Copy.exe
3408	Scan-Copy.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Scan-Copy.exe

description	pid	process	target process
PID 3408 wrote to memory of 188	3408	Scan-Copy.exe	Scan-Copy.exe
PID 3408 wrote to memory of 188	3408	Scan-Copy.exe	Scan-Copy.exe
PID 3408 wrote to memory of 188	3408	Scan-Copy.exe	Scan-Copy.exe
PID 3408 wrote to memory of 188	3408	Scan-Copy.exe	Scan-Copy.exe
PID 3408 wrote to memory of 188	3408	Scan-Copy.exe	Scan-Copy.exe
PID 3408 wrote to memory of 188	3408	Scan-Copy.exe	Scan-Copy.exe
PID 3408 wrote to memory of 188	3408	Scan-Copy.exe	Scan-Copy.exe
PID 3408 wrote to memory of 188	3408	Scan-Copy.exe	Scan-Copy.exe

C:\Users\Admin\AppData\Local\Temp\Scan-Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Scan-Copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\Scan-Copy.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Scan-Copy.exe.log
MD5
2ce1b56364fa233e3c3b24c1094c08ef

SHA1
6bd332829aebe567d7b2cb1fd9a82dfe1791052f

SHA256
dcf175d01a6de724456eebafad26562a1c6c59bb61ed4a40675e80b7dbc5680e

SHA512
5abf87138689fdc6f8f79c130c3511c863bac1fb0acc60525bc660c532276e3e0037134a9653e0b4f9a77142236cc18144e90bb40ace7271d6eb57fcf438bfe9

Download Submit
memory/188-3-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/188-4-0x0000000000449E3E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads