agenttesla | 9ebeccf2c2b987cf1506b20018874f44c8aa28c477cf33dc4f6ca45bb7f25a9d

General

Target

Quotation Forms_GJN20SP-E0479.xls.exe
Size

700KB
MD5

51b226b1ae909650dfdfa844a3c73e37
SHA1

deb329af0ccefaba8e3fd5f17c1e4eb26eed7006
SHA256

9ebeccf2c2b987cf1506b20018874f44c8aa28c477cf33dc4f6ca45bb7f25a9d
SHA512

9be2478a834c88426c204f2cb4dbe99267ea33f04dd4084bfe5a136f54c9e2e0abd88718c29014d7a2eae958c3d4aaf73cbca3b15dbaae5e1e06db82ae917b9b

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
secure197.inmotionhosting.com
Port:
587
Username:
khanh.to@goodland.com.vn
Password:
GL@123456

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1092-168-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1092-169-0x000000000044CB2E-mapping.dmp	family_agenttesla
behavioral1/memory/1092-170-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1092-171-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation Forms_GJN20SP-E0479.xls.exe

description pid process target process

PID 1892 set thread context of 1092 1892 Quotation Forms_GJN20SP-E0479.xls.exe Quotation Forms_GJN20SP-E0479.xls.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Quotation Forms_GJN20SP-E0479.xls.exe

pid process

1092 Quotation Forms_GJN20SP-E0479.xls.exe
1092 Quotation Forms_GJN20SP-E0479.xls.exe

description	pid	process	target process
PID 1892 set thread context of 1092	1892	Quotation Forms_GJN20SP-E0479.xls.exe	Quotation Forms_GJN20SP-E0479.xls.exe

pid	process
1092	Quotation Forms_GJN20SP-E0479.xls.exe
1092	Quotation Forms_GJN20SP-E0479.xls.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Quotation Forms_GJN20SP-E0479.xls.exeQuotation Forms_GJN20SP-E0479.xls.exe

description	pid	process
Token: SeDebugPrivilege	1892	Quotation Forms_GJN20SP-E0479.xls.exe
Token: SeDebugPrivilege	1092	Quotation Forms_GJN20SP-E0479.xls.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Quotation Forms_GJN20SP-E0479.xls.exe

pid process

1892 Quotation Forms_GJN20SP-E0479.xls.exe
1892 Quotation Forms_GJN20SP-E0479.xls.exe

pid	process
1892	Quotation Forms_GJN20SP-E0479.xls.exe
1892	Quotation Forms_GJN20SP-E0479.xls.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Quotation Forms_GJN20SP-E0479.xls.exeQuotation Forms_GJN20SP-E0479.xls.exe

description	pid	process	target process
PID 1892 wrote to memory of 1092	1892	Quotation Forms_GJN20SP-E0479.xls.exe	Quotation Forms_GJN20SP-E0479.xls.exe
PID 1892 wrote to memory of 1092	1892	Quotation Forms_GJN20SP-E0479.xls.exe	Quotation Forms_GJN20SP-E0479.xls.exe
PID 1892 wrote to memory of 1092	1892	Quotation Forms_GJN20SP-E0479.xls.exe	Quotation Forms_GJN20SP-E0479.xls.exe
PID 1892 wrote to memory of 1092	1892	Quotation Forms_GJN20SP-E0479.xls.exe	Quotation Forms_GJN20SP-E0479.xls.exe
PID 1892 wrote to memory of 1092	1892	Quotation Forms_GJN20SP-E0479.xls.exe	Quotation Forms_GJN20SP-E0479.xls.exe
PID 1892 wrote to memory of 1092	1892	Quotation Forms_GJN20SP-E0479.xls.exe	Quotation Forms_GJN20SP-E0479.xls.exe
PID 1892 wrote to memory of 1092	1892	Quotation Forms_GJN20SP-E0479.xls.exe	Quotation Forms_GJN20SP-E0479.xls.exe
PID 1892 wrote to memory of 1092	1892	Quotation Forms_GJN20SP-E0479.xls.exe	Quotation Forms_GJN20SP-E0479.xls.exe
PID 1892 wrote to memory of 1092	1892	Quotation Forms_GJN20SP-E0479.xls.exe	Quotation Forms_GJN20SP-E0479.xls.exe
PID 1092 wrote to memory of 1088	1092	Quotation Forms_GJN20SP-E0479.xls.exe	netsh.exe
PID 1092 wrote to memory of 1088	1092	Quotation Forms_GJN20SP-E0479.xls.exe	netsh.exe
PID 1092 wrote to memory of 1088	1092	Quotation Forms_GJN20SP-E0479.xls.exe	netsh.exe
PID 1092 wrote to memory of 1088	1092	Quotation Forms_GJN20SP-E0479.xls.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Quotation Forms_GJN20SP-E0479.xls.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation Forms_GJN20SP-E0479.xls.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Local\Temp\Quotation Forms_GJN20SP-E0479.xls.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:1088

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-172-0x0000000000000000-mapping.dmp

Download
memory/1092-168-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1092-169-0x000000000044CB2E-mapping.dmp

Download
memory/1092-170-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1092-171-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1216-167-0x000007FEF7730000-0x000007FEF79AA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads