agenttesla | 708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089

General

Target

para.exe
Size

928KB
MD5

80b51e872031a2befeb9a0a13e6fc480
SHA1

caebbab5349f57d92182ce56ef4bf71ea60226a7
SHA256

708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089
SHA512

12e9db89be76788d238f8a7f3114534b50b953b9ef619f84b0a124fba77f5e7d4aa00ae8f6ac3fdb16ecd1398950d6bdadfa43e9ec59b6d59667df5ac3d60879

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.godforeu.com
Port:
587
Username:
[email protected]
Password:
O8k#Pz4sk:w_

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3248-15-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3248-16-0x00000000004374CE-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

para.exe

description pid process target process

PID 1908 set thread context of 3248 1908 para.exe para.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1584 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

para.exepara.exe

pid process

1908 para.exe
1908 para.exe
1908 para.exe
1908 para.exe
1908 para.exe
3248 para.exe
3248 para.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

para.exepara.exe

description pid process

Token: SeDebugPrivilege 1908 para.exe
Token: SeDebugPrivilege 3248 para.exe

description	pid	process	target process
PID 1908 set thread context of 3248	1908	para.exe	para.exe

pid	process
1584	schtasks.exe

pid	process
1908	para.exe
1908	para.exe
1908	para.exe
1908	para.exe
1908	para.exe
3248	para.exe
3248	para.exe

description	pid	process
Token: SeDebugPrivilege	1908	para.exe
Token: SeDebugPrivilege	3248	para.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

para.exe

description	pid	process	target process
PID 1908 wrote to memory of 1584	1908	para.exe	schtasks.exe
PID 1908 wrote to memory of 1584	1908	para.exe	schtasks.exe
PID 1908 wrote to memory of 1584	1908	para.exe	schtasks.exe
PID 1908 wrote to memory of 3368	1908	para.exe	para.exe
PID 1908 wrote to memory of 3368	1908	para.exe	para.exe
PID 1908 wrote to memory of 3368	1908	para.exe	para.exe
PID 1908 wrote to memory of 3096	1908	para.exe	para.exe
PID 1908 wrote to memory of 3096	1908	para.exe	para.exe
PID 1908 wrote to memory of 3096	1908	para.exe	para.exe
PID 1908 wrote to memory of 3248	1908	para.exe	para.exe
PID 1908 wrote to memory of 3248	1908	para.exe	para.exe
PID 1908 wrote to memory of 3248	1908	para.exe	para.exe
PID 1908 wrote to memory of 3248	1908	para.exe	para.exe
PID 1908 wrote to memory of 3248	1908	para.exe	para.exe
PID 1908 wrote to memory of 3248	1908	para.exe	para.exe
PID 1908 wrote to memory of 3248	1908	para.exe	para.exe
PID 1908 wrote to memory of 3248	1908	para.exe	para.exe

C:\Users\Admin\AppData\Local\Temp\para.exe
"C:\Users\Admin\AppData\Local\Temp\para.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neHneiobyhcrJJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8DA.tmp"
2⤵
- Creates scheduled task(s)
PID:1584

C:\Users\Admin\AppData\Local\Temp\para.exe
"C:\Users\Admin\AppData\Local\Temp\para.exe"
2⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\para.exe
"C:\Users\Admin\AppData\Local\Temp\para.exe"
2⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\para.exe
"C:\Users\Admin\AppData\Local\Temp\para.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\para.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DA.tmp
MD5
d2d541a70d66c95f33175840645703bd

SHA1
e53744315c3a46fbc642a1902decc8d9e1b5f644

SHA256
c29e6aef546e5f2978b9d639bd6b3b8685ad21e5de84d16f1d1a35b78c4f0d55

SHA512
10c06520751ac64efb0688a5c8bd4fec4e95f664ca3972e84b632a802680d3d472f7ab0de8085073016931527d52013733686b2241d3a19d6b6f87d26062fa10

Download Submit
memory/1584-13-0x0000000000000000-mapping.dmp

Download
memory/1908-8-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/1908-3-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/1908-2-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/1908-9-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/1908-10-0x0000000005030000-0x0000000005033000-memory.dmp

Filesize
12KB

Download
memory/1908-11-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/1908-12-0x0000000005EA0000-0x0000000005F0B000-memory.dmp

Filesize
428KB

Download
memory/1908-6-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/1908-5-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1908-7-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3248-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3248-16-0x00000000004374CE-mapping.dmp

Download
memory/3248-18-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/3248-23-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3248-24-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/3248-25-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/3248-28-0x0000000004F01000-0x0000000004F02000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads