agenttesla | 68b03caba912a93057cc47618982c7c33ec41ccc1ab853b2e0d7483a383df603

General

Target

SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
Size

828KB
MD5

2bdefd73dd2bb3c79fb31f58b979c497
SHA1

3df7f884fcaf945946443a451ddd5e8170dc6ca7
SHA256

68b03caba912a93057cc47618982c7c33ec41ccc1ab853b2e0d7483a383df603
SHA512

f8097b3ec587abb29f8eb0df75cc70e9ebf7e5a997827571dceeadc1fd63bf58a56a22717877cfd4625035d9be036ee4b61def76d6cf2c4080cd10e4b15fa335

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.soin3.com
Port:
587
Username:
mojo@soin3.com
Password:
icui4cu2@@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1008-3-0x000000000043722E-mapping.dmp	family_agenttesla
behavioral2/memory/1008-2-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe

description	pid	process	target process
PID 1404 set thread context of 1008	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe

Drops file in Windows directory 2 IoCs

Processes:

SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exeSecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe

pid	process
1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
1008	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
1008	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exeSecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe

description	pid	process
Token: SeDebugPrivilege	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
Token: SeDebugPrivilege	1008	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe

description	pid	process	target process
PID 1404 wrote to memory of 740	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 740	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 740	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 476	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 476	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 476	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 1008	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 1008	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 1008	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 1008	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 1008	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 1008	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 1008	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
PID 1404 wrote to memory of 1008	1404	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe	SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"
2⤵
PID:740

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"
2⤵
PID:476

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe.log
MD5
913522c9c0f65d51268d96a1af18324c

SHA1
1d42b9400d8aac6c8de76064698dd9c1115a6cb8

SHA256
9ec1f0458ee4d86a7d01354f7dcb2b699b5a002a8555348b725ae3561e22a280

SHA512
fe5201e887cdc1e1125e54cd92587fe0d1f5665f93e302c7be0eb33abd2310a3f944f44b80129861258be49925cbaf3d26111d7eaa146e18593cc6ed4df77ea2

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
MD5
79c15d1391af2809d3bb83868605f254

SHA1
8ba6eb4bb387b7c400b219845650150ed3142c02

SHA256
208ff33fafd315395496e02f1e5c91bd87e60752d93351246233f6db5a65e17a

SHA512
c1a6d4e2efbba8c9f6e9de81d790676475e8a4b6fb7e368d5034c987832b7741be3c40c48977e7c6bb10d4d4e6b4a1e4c843333ac2ecaca5f480544da3bae976

Download Submit
memory/1008-3-0x000000000043722E-mapping.dmp

Download
memory/1008-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads