agenttesla | 8392af9cff73aab10a60befd359d4ca2638d6a936071285579147303bb453497

General

Target

OCXQZK3KWmWNdRx.exe
Size

803KB
MD5

c6286c765c37478223b99c6ab0dc96f5
SHA1

eb043c7435526162e7e3a85005421fba3c1f3618
SHA256

8392af9cff73aab10a60befd359d4ca2638d6a936071285579147303bb453497
SHA512

04bfd49be5af17080f7fed1b28e665aa8a76e637589a3a0e4d846c79c79bfb56d78508898d2181b928e7483d7b4489f19831c58dea29ef0997d48b772da384e4

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.flood-protection.org
Port:
587
Username:
uchedon@flood-protection.org
Password:
uchedon2424@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2008-13-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2008-14-0x00000000004374DE-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

OCXQZK3KWmWNdRx.exe

description pid process target process

PID 636 set thread context of 2008 636 OCXQZK3KWmWNdRx.exe OCXQZK3KWmWNdRx.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

OCXQZK3KWmWNdRx.exe

pid process

2008 OCXQZK3KWmWNdRx.exe
2008 OCXQZK3KWmWNdRx.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

OCXQZK3KWmWNdRx.exe

description pid process

Token: SeDebugPrivilege 2008 OCXQZK3KWmWNdRx.exe

description	pid	process	target process
PID 636 set thread context of 2008	636	OCXQZK3KWmWNdRx.exe	OCXQZK3KWmWNdRx.exe

pid	process
2008	OCXQZK3KWmWNdRx.exe
2008	OCXQZK3KWmWNdRx.exe

description	pid	process
Token: SeDebugPrivilege	2008	OCXQZK3KWmWNdRx.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

OCXQZK3KWmWNdRx.exe

description	pid	process	target process
PID 636 wrote to memory of 2008	636	OCXQZK3KWmWNdRx.exe	OCXQZK3KWmWNdRx.exe
PID 636 wrote to memory of 2008	636	OCXQZK3KWmWNdRx.exe	OCXQZK3KWmWNdRx.exe
PID 636 wrote to memory of 2008	636	OCXQZK3KWmWNdRx.exe	OCXQZK3KWmWNdRx.exe
PID 636 wrote to memory of 2008	636	OCXQZK3KWmWNdRx.exe	OCXQZK3KWmWNdRx.exe
PID 636 wrote to memory of 2008	636	OCXQZK3KWmWNdRx.exe	OCXQZK3KWmWNdRx.exe
PID 636 wrote to memory of 2008	636	OCXQZK3KWmWNdRx.exe	OCXQZK3KWmWNdRx.exe
PID 636 wrote to memory of 2008	636	OCXQZK3KWmWNdRx.exe	OCXQZK3KWmWNdRx.exe
PID 636 wrote to memory of 2008	636	OCXQZK3KWmWNdRx.exe	OCXQZK3KWmWNdRx.exe

C:\Users\Admin\AppData\Local\Temp\OCXQZK3KWmWNdRx.exe
"C:\Users\Admin\AppData\Local\Temp\OCXQZK3KWmWNdRx.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\OCXQZK3KWmWNdRx.exe
"C:\Users\Admin\AppData\Local\Temp\OCXQZK3KWmWNdRx.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OCXQZK3KWmWNdRx.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
memory/636-7-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/636-8-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/636-12-0x0000000005AD0000-0x0000000005B47000-memory.dmp

Filesize
476KB

Download
memory/636-2-0x0000000073190000-0x000000007387E000-memory.dmp

Filesize
6.9MB

Download
memory/636-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/636-9-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/636-10-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/636-11-0x0000000004ED0000-0x0000000004EF3000-memory.dmp

Filesize
140KB

Download
memory/636-6-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/636-5-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/2008-14-0x00000000004374DE-mapping.dmp

Download
memory/2008-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2008-16-0x0000000073190000-0x000000007387E000-memory.dmp

Filesize
6.9MB

Download
memory/2008-21-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/2008-22-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/2008-23-0x0000000006560000-0x0000000006561000-memory.dmp

Filesize
4KB

Download
memory/2008-26-0x0000000005921000-0x0000000005922000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing