agenttesla | 1bda01f0ea187a42b179d780e45f45e229caecdca515402f781df52bc8ca3420

General

Target

HTG-9066543.exe
Size

708KB
MD5

ffee54880cc41b051b00115466ff6298
SHA1

758745708de2c683045a0bc6f96efad065d463e0
SHA256

1bda01f0ea187a42b179d780e45f45e229caecdca515402f781df52bc8ca3420
SHA512

f21141c723a4dd2ad8549b936d84112f32c6bf6986abb623dde6a1cf3b85437efed45627d82224c23b0902a2e34d695a5ba166d22efc7665157845e5605eb242

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.kpce-co.com
Port:
587
Username:
[email protected]
Password:
g@jnJ{#6Eva5

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2436-11-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral2/memory/2436-12-0x0000000002390000-0x00000000023C6000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

ldauib.exeoon80gy9qs.exe

pid process

1884 ldauib.exe
2436 oon80gy9qs.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

ldauib.exe

description pid process target process

PID 1884 set thread context of 2436 1884 ldauib.exe oon80gy9qs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1884 set thread context of 2436	1884	ldauib.exe	oon80gy9qs.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

ldauib.exeoon80gy9qs.exe

pid	process
1884	ldauib.exe
1884	ldauib.exe
1884	ldauib.exe
1884	ldauib.exe
1884	ldauib.exe
1884	ldauib.exe
1884	ldauib.exe
1884	ldauib.exe
2436	oon80gy9qs.exe
2436	oon80gy9qs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ldauib.exe

pid process

1884 ldauib.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

oon80gy9qs.exe

description pid process

Token: SeDebugPrivilege 2436 oon80gy9qs.exe

description	pid	process
Token: SeDebugPrivilege	2436	oon80gy9qs.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

HTG-9066543.exeldauib.exe

description	pid	process	target process
PID 3888 wrote to memory of 1884	3888	HTG-9066543.exe	ldauib.exe
PID 3888 wrote to memory of 1884	3888	HTG-9066543.exe	ldauib.exe
PID 3888 wrote to memory of 1884	3888	HTG-9066543.exe	ldauib.exe
PID 1884 wrote to memory of 2436	1884	ldauib.exe	oon80gy9qs.exe
PID 1884 wrote to memory of 2436	1884	ldauib.exe	oon80gy9qs.exe
PID 1884 wrote to memory of 2436	1884	ldauib.exe	oon80gy9qs.exe
PID 1884 wrote to memory of 2436	1884	ldauib.exe	oon80gy9qs.exe

C:\Users\Admin\AppData\Local\Temp\HTG-9066543.exe
"C:\Users\Admin\AppData\Local\Temp\HTG-9066543.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\Nla\ldauib.exe
C:\Users\Admin\AppData\Local\Temp\Nla\ldauib.exe C:\Users\Admin\AppData\Local\Temp\Nla\jcrypgdcu.vsl
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\Nla\oon80gy9qs.exe
C:\Users\Admin\AppData\Local\Temp\Nla\ldauib.exe C:\Users\Admin\AppData\Local\Temp\Nla\jcrypgdcu.vsl
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nla\jcrypgdcu.vsl
MD5
2f411ead5a26a57d896f77114305ca74

SHA1
cf4fefad851560a179420eec04814df5cac4332e

SHA256
78e882f79de1808f8f1d20c671667bcaf7fae6e44d16258204c92306c191c515

SHA512
f9bc99a98cedaf13f65ff40cab7842388289490e483a44d3993cc5914c3a1f68b07114b7a38717f7497f45a9171435bb0083de2964264642abb40334ebb7011a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\ldauib.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\ldauib.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\oon80gy9qs.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\whmnljkmkp.idu
MD5
78619ae8c7646998506018a1b5358f9c

SHA1
98fdd1f20c66c006f726f3eca76ff713071fbf7b

SHA256
f8ad84dd359f6df374fa281c4ba827684e5653474cdf7c8ed0c826695c081983

SHA512
fbdcf40951129237212af7de46c8654950be0896c05287041e936283c347bf82732e53d6f53ffade7828ca28ca142283cf17dedaf769f0f3102ed45ddec1b89c

Download Submit
memory/1884-10-0x00000000008F0000-0x00000000008F2000-memory.dmp

Filesize
8KB

Download
memory/1884-2-0x0000000000000000-mapping.dmp

Download
memory/2436-12-0x0000000002390000-0x00000000023C6000-memory.dmp

Filesize
216KB

Download
memory/2436-16-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2436-9-0x0000000073780000-0x0000000073E6E000-memory.dmp

Filesize
6.9MB

Download
memory/2436-7-0x000000000040188B-mapping.dmp

Download
memory/2436-14-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/2436-15-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/2436-17-0x0000000004C92000-0x0000000004C93000-memory.dmp

Filesize
4KB

Download
memory/2436-11-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2436-19-0x0000000004C94000-0x0000000004C95000-memory.dmp

Filesize
4KB

Download
memory/2436-18-0x0000000004C93000-0x0000000004C94000-memory.dmp

Filesize
4KB

Download
memory/2436-20-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/2436-21-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/2436-22-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/2436-23-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads