agenttesla | 37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c

General

Target

37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
Size

576KB
MD5

b19a2a4b7518271197afa5e5e657dbc7
SHA1

69b15cf78eadb6cd53037800fa29923bb0b87945
SHA256

37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c
SHA512

77f8728bc33abb14f4225318b0d2b05e64b6c4676d0d16fd32153956f5c44c7323f54fad53b8a921660caec95ea33fe77a978aa3aefa6436e61f2848a72c5ad5

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1716-7-0x0000000000400000-0x0000000000475000-memory.dmp	family_agenttesla
behavioral1/memory/1716-8-0x000000000040188B-mapping.dmp	family_agenttesla
behavioral1/memory/1716-10-0x0000000000400000-0x0000000000475000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe

description	pid	process	target process
PID 1784 set thread context of 1716	1784	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1964 schtasks.exe

pid	process
1964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe

pid	process
1716	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
1716	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe

pid	process
1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
1968	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
1784	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe

description pid process

Token: SeDebugPrivilege 1716 37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe

description	pid	process
Token: SeDebugPrivilege	1716	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.execmd.exe37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe

C:\Users\Admin\AppData\Local\Temp\37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
"C:\Users\Admin\AppData\Local\Temp\37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\be2cf8a04c944696b2f8321280f226c1.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\be2cf8a04c944696b2f8321280f226c1.xml"
3⤵
- Creates scheduled task(s)
PID:1964

C:\Users\Admin\AppData\Local\Temp\37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
"C:\Users\Admin\AppData\Local\Temp\37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe"
2⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
"C:\Users\Admin\AppData\Local\Temp\37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
"C:\Users\Admin\AppData\Local\Temp\37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe"
3⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
"C:\Users\Admin\AppData\Local\Temp\37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
"C:\Users\Admin\AppData\Local\Temp\37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\be2cf8a04c944696b2f8321280f226c1.xml
MD5
a035055e1c80bc652520df45650c690f

SHA1
37b8364ad46e17199eb5a7ee89bb506bba384adb

SHA256
2b9948d34674d0fc0f9cb290da8298441b56205f6e341e3cfa1954df42c2b655

SHA512
678279d1bfc8a71c27a5a2c3afa5fd266882a62610863a3e4ebc2489f17827ed4c680c89e6b8b52621320500294d2df9888259ccdc5d38def43e739c1f325fc1

Download Submit
memory/1156-0-0x0000000000000000-mapping.dmp

Download
memory/1716-7-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1716-8-0x000000000040188B-mapping.dmp

Download
memory/1716-10-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1784-6-0x0000000000000000-mapping.dmp

Download
memory/1924-1-0x0000000000480000-0x0000000000514000-memory.dmp

Filesize
592KB

Download
memory/1964-3-0x0000000000000000-mapping.dmp

Download
memory/1968-2-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1924 wrote to memory of 1156	1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	cmd.exe
PID 1924 wrote to memory of 1156	1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	cmd.exe
PID 1924 wrote to memory of 1156	1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	cmd.exe
PID 1924 wrote to memory of 1156	1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	cmd.exe
PID 1924 wrote to memory of 2040	1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1924 wrote to memory of 2040	1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1924 wrote to memory of 2040	1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1924 wrote to memory of 2040	1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1924 wrote to memory of 1968	1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1924 wrote to memory of 1968	1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1924 wrote to memory of 1968	1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1924 wrote to memory of 1968	1924	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1156 wrote to memory of 1964	1156	cmd.exe	schtasks.exe
PID 1156 wrote to memory of 1964	1156	cmd.exe	schtasks.exe
PID 1156 wrote to memory of 1964	1156	cmd.exe	schtasks.exe
PID 1156 wrote to memory of 1964	1156	cmd.exe	schtasks.exe
PID 1968 wrote to memory of 1888	1968	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1968 wrote to memory of 1888	1968	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1968 wrote to memory of 1888	1968	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1968 wrote to memory of 1888	1968	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1968 wrote to memory of 1784	1968	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1968 wrote to memory of 1784	1968	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1968 wrote to memory of 1784	1968	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1968 wrote to memory of 1784	1968	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1784 wrote to memory of 1716	1784	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1784 wrote to memory of 1716	1784	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1784 wrote to memory of 1716	1784	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1784 wrote to memory of 1716	1784	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe
PID 1784 wrote to memory of 1716	1784	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe	37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads