agenttesla | 3d77a5226e3fcb836c244e51904fd7746f9afd2b5594935eed7d6483238d8b04

General

Target

ORDER-9087.exe

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3404-10-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

sekcqfb.exerttty72nv.exe

pid process

3556 sekcqfb.exe
3404 rttty72nv.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

sekcqfb.exe

description pid process target process

PID 3556 set thread context of 3404 3556 sekcqfb.exe rttty72nv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3556 set thread context of 3404	3556	sekcqfb.exe	rttty72nv.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

sekcqfb.exerttty72nv.exe

pid	process
3556	sekcqfb.exe
3556	sekcqfb.exe
3556	sekcqfb.exe
3556	sekcqfb.exe
3556	sekcqfb.exe
3556	sekcqfb.exe
3556	sekcqfb.exe
3556	sekcqfb.exe
3404	rttty72nv.exe
3404	rttty72nv.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sekcqfb.exe

pid process

3556 sekcqfb.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rttty72nv.exe

description pid process

Token: SeDebugPrivilege 3404 rttty72nv.exe

description	pid	process
Token: SeDebugPrivilege	3404	rttty72nv.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ORDER-9087.exesekcqfb.exe

description	pid	process	target process
PID 644 wrote to memory of 3556	644	ORDER-9087.exe	sekcqfb.exe
PID 644 wrote to memory of 3556	644	ORDER-9087.exe	sekcqfb.exe
PID 644 wrote to memory of 3556	644	ORDER-9087.exe	sekcqfb.exe
PID 3556 wrote to memory of 3404	3556	sekcqfb.exe	rttty72nv.exe
PID 3556 wrote to memory of 3404	3556	sekcqfb.exe	rttty72nv.exe
PID 3556 wrote to memory of 3404	3556	sekcqfb.exe	rttty72nv.exe
PID 3556 wrote to memory of 3404	3556	sekcqfb.exe	rttty72nv.exe

C:\Users\Admin\AppData\Local\Temp\ORDER-9087.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER-9087.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:644
- C:\Users\Admin\AppData\Local\Temp\Nla\sekcqfb.exe
  C:\Users\Admin\AppData\Local\Temp\Nla\sekcqfb.exe C:\Users\Admin\AppData\Local\Temp\Nla\dragubcuw.vza
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\Nla\rttty72nv.exe
    C:\Users\Admin\AppData\Local\Temp\Nla\sekcqfb.exe C:\Users\Admin\AppData\Local\Temp\Nla\dragubcuw.vza
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nla\dragubcuw.vza

MD5
35c8169a76f07c2ef9cc306aae3a923f

SHA1
e4bdc01083c6938d0b1fa6341c2412aa34dfb37b

SHA256
946ef660c14f1a9c817553ff1f264e4fd5bd272a857c99ea9798c727e75a73e2

SHA512
49439919d46549908d2022c886b770ea9aeff350a5258cbae5f4e14c2ab9eb8098f3aaa6322cec0f6641fcc0de676eb83ecba4644aa07cc397614beab6fcbe0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\rttty72nv.exe

MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\sekcqfb.exe

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\sekcqfb.exe

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\ysnzsszv.cg

MD5
a1c890effda03ce27a5df996d7692fa3

SHA1
2dafe7a1f6f86f5ef0f692d8093e92e07c445f4d

SHA256
eeb0d64753cf0d3942f37930dd2f37d3a7111688bf106a9068734f9cfa42280b

SHA512
9ded8ea17c20a31ce43085d2808618efaeb425a72b48eb11878b23bb2024cabb3b78cf72429fe46ae87eb1f64eddd0b18a23c48bedc0a16fee78fbb33e23af06

Download Submit
memory/3404-8-0x000000000040188B-mapping.dmp

Download
memory/3404-10-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3404-11-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/3404-12-0x0000000002761000-0x0000000002762000-memory.dmp

Filesize
4KB

Download
memory/3404-13-0x0000000002762000-0x0000000002764000-memory.dmp

Filesize
8KB

Download
memory/3404-14-0x0000000002767000-0x0000000002768000-memory.dmp

Filesize
4KB

Download
memory/3404-15-0x0000000002768000-0x0000000002769000-memory.dmp

Filesize
4KB

Download
memory/3404-16-0x000000000276D000-0x000000000276F000-memory.dmp

Filesize
8KB

Download
memory/3556-2-0x0000000000000000-mapping.dmp

Download
memory/3556-7-0x0000000004900000-0x0000000004902000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads