agenttesla | bd03cebf0f02bc3313ccbe3de2948e4981d52c983d2215c637dda38ab89863e4

General

Target

Required Order Details 001.exe
Size

537KB
MD5

f6e34497d97cebc5553faaebf4f97a41
SHA1

724b2fad734afe8ca78fa6c7f05a626391618d37
SHA256

bd03cebf0f02bc3313ccbe3de2948e4981d52c983d2215c637dda38ab89863e4
SHA512

e130aeeef5d9dea7270135b84a2fb7ec46a9158e218f2dd84c36487ffacec9b187c75e2da87d3684fe632b9bb4b728101f6e10f7c1bdb4628f487e08bddd270d

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.samlogistics.pk
Port:
587
Username:
csd@samlogistics.pk
Password:
Seaimport121@

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.samlogistics.pk
Port:
587
Username:
csd@samlogistics.pk
Password:
Seaimport121@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/8-2-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral2/memory/8-3-0x000000000044C6EE-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Required Order Details 001.exe

description pid process target process

PID 1028 set thread context of 8 1028 Required Order Details 001.exe Required Order Details 001.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Required Order Details 001.exe

pid process

8 Required Order Details 001.exe
8 Required Order Details 001.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Required Order Details 001.exeRequired Order Details 001.exe

description pid process

Token: SeDebugPrivilege 1028 Required Order Details 001.exe
Token: SeDebugPrivilege 8 Required Order Details 001.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Required Order Details 001.exe

pid process

1028 Required Order Details 001.exe
1028 Required Order Details 001.exe

description	pid	process	target process
PID 1028 set thread context of 8	1028	Required Order Details 001.exe	Required Order Details 001.exe

pid	process
8	Required Order Details 001.exe
8	Required Order Details 001.exe

description	pid	process
Token: SeDebugPrivilege	1028	Required Order Details 001.exe
Token: SeDebugPrivilege	8	Required Order Details 001.exe

pid	process
1028	Required Order Details 001.exe
1028	Required Order Details 001.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Required Order Details 001.exeRequired Order Details 001.exe

description	pid	process	target process
PID 1028 wrote to memory of 8	1028	Required Order Details 001.exe	Required Order Details 001.exe
PID 1028 wrote to memory of 8	1028	Required Order Details 001.exe	Required Order Details 001.exe
PID 1028 wrote to memory of 8	1028	Required Order Details 001.exe	Required Order Details 001.exe
PID 1028 wrote to memory of 8	1028	Required Order Details 001.exe	Required Order Details 001.exe
PID 1028 wrote to memory of 8	1028	Required Order Details 001.exe	Required Order Details 001.exe
PID 1028 wrote to memory of 8	1028	Required Order Details 001.exe	Required Order Details 001.exe
PID 1028 wrote to memory of 8	1028	Required Order Details 001.exe	Required Order Details 001.exe
PID 1028 wrote to memory of 8	1028	Required Order Details 001.exe	Required Order Details 001.exe
PID 8 wrote to memory of 3104	8	Required Order Details 001.exe	netsh.exe
PID 8 wrote to memory of 3104	8	Required Order Details 001.exe	netsh.exe
PID 8 wrote to memory of 3104	8	Required Order Details 001.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Required Order Details 001.exe
"C:\Users\Admin\AppData\Local\Temp\Required Order Details 001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\Required Order Details 001.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:3104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Required Order Details 001.exe.log
MD5
2ce1b56364fa233e3c3b24c1094c08ef

SHA1
6bd332829aebe567d7b2cb1fd9a82dfe1791052f

SHA256
dcf175d01a6de724456eebafad26562a1c6c59bb61ed4a40675e80b7dbc5680e

SHA512
5abf87138689fdc6f8f79c130c3511c863bac1fb0acc60525bc660c532276e3e0037134a9653e0b4f9a77142236cc18144e90bb40ace7271d6eb57fcf438bfe9

Download Submit
memory/8-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/8-3-0x000000000044C6EE-mapping.dmp

Download
memory/3104-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads