agenttesla | eda77a2a6a764257be0cc3de5d0d316cf149e28912804bda421607d6c8657f4a

General

Target

146938fb56dd1017e45b1483dff8e353.exe
Size

947KB
MD5

146938fb56dd1017e45b1483dff8e353
SHA1

7104dada4cff7cd2e1ac643877bca649b35e7aee
SHA256

eda77a2a6a764257be0cc3de5d0d316cf149e28912804bda421607d6c8657f4a
SHA512

32b0cfbc2673f8eb9079916ba82f07870cfb87195780b82f2cfd4b75670a9d44a5e7239a377c803bc75fe8171a18bc03ea85fe51129f16f0d6ff4991e4914201

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.godforeu.com
Port:
587
Username:
[email protected]
Password:
O8k#Pz4sk:w_

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3456-5-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3456-6-0x000000000043749E-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

146938fb56dd1017e45b1483dff8e353.exe

description pid process target process

PID 640 set thread context of 3456 640 146938fb56dd1017e45b1483dff8e353.exe 146938fb56dd1017e45b1483dff8e353.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3800 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

146938fb56dd1017e45b1483dff8e353.exe

pid process

3456 146938fb56dd1017e45b1483dff8e353.exe
3456 146938fb56dd1017e45b1483dff8e353.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

146938fb56dd1017e45b1483dff8e353.exe

description pid process

Token: SeDebugPrivilege 3456 146938fb56dd1017e45b1483dff8e353.exe

description	pid	process	target process
PID 640 set thread context of 3456	640	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe

pid	process
3800	schtasks.exe

pid	process
3456	146938fb56dd1017e45b1483dff8e353.exe
3456	146938fb56dd1017e45b1483dff8e353.exe

description	pid	process
Token: SeDebugPrivilege	3456	146938fb56dd1017e45b1483dff8e353.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

146938fb56dd1017e45b1483dff8e353.exe

description	pid	process	target process
PID 640 wrote to memory of 3800	640	146938fb56dd1017e45b1483dff8e353.exe	schtasks.exe
PID 640 wrote to memory of 3800	640	146938fb56dd1017e45b1483dff8e353.exe	schtasks.exe
PID 640 wrote to memory of 3800	640	146938fb56dd1017e45b1483dff8e353.exe	schtasks.exe
PID 640 wrote to memory of 3456	640	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 640 wrote to memory of 3456	640	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 640 wrote to memory of 3456	640	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 640 wrote to memory of 3456	640	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 640 wrote to memory of 3456	640	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 640 wrote to memory of 3456	640	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 640 wrote to memory of 3456	640	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe
PID 640 wrote to memory of 3456	640	146938fb56dd1017e45b1483dff8e353.exe	146938fb56dd1017e45b1483dff8e353.exe

C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe
"C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nwcdFkAETi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp57A6.tmp"
2⤵
- Creates scheduled task(s)
PID:3800

C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe
"C:\Users\Admin\AppData\Local\Temp\146938fb56dd1017e45b1483dff8e353.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\146938fb56dd1017e45b1483dff8e353.exe.log
MD5
5e7bb97636a484b5a87e60373614279a

SHA1
36bfdec32eedb141a4a106d89a453326f62593ee

SHA256
12ed6e1df2c57556c59dfd6630fd454a9df76166f340c41ee6bc54d98e709e20

SHA512
448c62d538e646045d7315ff902b86f614e2dc1eb0959c22c6618fd2c8767c330d24692357559310e6b55b0c35415a14a6ab2d6d9b8d2a03186949b97190fd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp57A6.tmp
MD5
e9648d2cb1ca183f9777772e0bb95ead

SHA1
8f0aa940d56f66f799ebcbd4dcc41c922d19d5b4

SHA256
9297234fa37e65b5be0b42ace9a0693d443c8ea010f058bf25a7e3e11cbac563

SHA512
e4756f13cd2954a2b429094677ed19aca6c2a8ee4b508c44b5b5e2d110b51f3ed81337859ea4625a4358b225ca1185213cbdbe6f63f9d6f8170fc9eebb228adf

Download Submit
memory/640-2-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/640-8-0x0000000002601000-0x0000000002602000-memory.dmp

Filesize
4KB

Download
memory/3456-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3456-6-0x000000000043749E-mapping.dmp

Download
memory/3456-9-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/3456-10-0x0000000000D31000-0x0000000000D32000-memory.dmp

Filesize
4KB

Download
memory/3456-11-0x0000000000D32000-0x0000000000D33000-memory.dmp

Filesize
4KB

Download
memory/3800-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads