agenttesla | 4c05725a37cb5a13ba3f7bc3993958bb56a234b47ae5869ceb92c2d8f98635f3

General

Target

FedEx-Shipment-61821461149.jar
Size

1.1MB
MD5

796276ef3bb0cff9f450ee0d2904b9a6
SHA1

b0f27e95169499f019fa45e0de2f31b84fd03298
SHA256

4c05725a37cb5a13ba3f7bc3993958bb56a234b47ae5869ceb92c2d8f98635f3
SHA512

0cf482410883c6d3a8498cb06bde5595bd506ddde9a0c7b1231800e48c4a206305bc1cb09340a4cb620bc44a6a2123040b2edc9f389e84147d88bf71d25f7435

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.pexonteam.rs
Port:
587
Username:
[email protected]
Password:
Mdn7dRsJ[7q}

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1000-16-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1000-17-0x000000000043764E-mapping.dmp	family_agenttesla
behavioral1/memory/1000-20-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

fnd2So.exefnd2So.exe

pid process

1960 fnd2So.exe
1000 fnd2So.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

fnd2So.exe

description pid process target process

PID 1960 set thread context of 1000 1960 fnd2So.exe fnd2So.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fnd2So.exe

pid process

1000 fnd2So.exe
1000 fnd2So.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1704 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fnd2So.exe

description pid process

Token: SeDebugPrivilege 1000 fnd2So.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

java.exeAcroRd32.exe

pid process

1336 java.exe
1704 AcroRd32.exe
1704 AcroRd32.exe
1704 AcroRd32.exe

pid	process
1960	fnd2So.exe
1000	fnd2So.exe

description	pid	process	target process
PID 1960 set thread context of 1000	1960	fnd2So.exe	fnd2So.exe

pid	process
1000	fnd2So.exe
1000	fnd2So.exe

pid	process
1704	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	1000	fnd2So.exe

pid	process
1336	java.exe
1704	AcroRd32.exe
1704	AcroRd32.exe
1704	AcroRd32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

java.exefnd2So.exe

description	pid	process	target process
PID 1336 wrote to memory of 1960	1336	java.exe	fnd2So.exe
PID 1336 wrote to memory of 1960	1336	java.exe	fnd2So.exe
PID 1336 wrote to memory of 1960	1336	java.exe	fnd2So.exe
PID 1336 wrote to memory of 1960	1336	java.exe	fnd2So.exe
PID 1336 wrote to memory of 1704	1336	java.exe	AcroRd32.exe
PID 1336 wrote to memory of 1704	1336	java.exe	AcroRd32.exe
PID 1336 wrote to memory of 1704	1336	java.exe	AcroRd32.exe
PID 1336 wrote to memory of 1704	1336	java.exe	AcroRd32.exe
PID 1960 wrote to memory of 1000	1960	fnd2So.exe	fnd2So.exe
PID 1960 wrote to memory of 1000	1960	fnd2So.exe	fnd2So.exe
PID 1960 wrote to memory of 1000	1960	fnd2So.exe	fnd2So.exe
PID 1960 wrote to memory of 1000	1960	fnd2So.exe	fnd2So.exe
PID 1960 wrote to memory of 1000	1960	fnd2So.exe	fnd2So.exe
PID 1960 wrote to memory of 1000	1960	fnd2So.exe	fnd2So.exe
PID 1960 wrote to memory of 1000	1960	fnd2So.exe	fnd2So.exe
PID 1960 wrote to memory of 1000	1960	fnd2So.exe	fnd2So.exe
PID 1960 wrote to memory of 1000	1960	fnd2So.exe	fnd2So.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\FedEx-Shipment-61821461149.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\fnd2So.exe
C:\Users\Admin\fnd2So.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\fnd2So.exe
"C:\Users\Admin\fnd2So.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\2rT0ij0AP.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1704

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\2rT0ij0AP.pdf
MD5
524fcfad9aeab4bbebb7eb9c713bb185

SHA1
041914a609a61ec9487063a462434de523fe2471

SHA256
da13ea60cabf1b692cbfd07cfcafe3a2d1393a745ac817161498dc04db2f9208

SHA512
2131c93a19d6d2cefe45070a1eccc0c307060aa0361f935be559defd0069b5da860473ece763a3b83d62974aaa7f0295fb4d1e49405307ae826cb48b6295121b

Download Submit
C:\Users\Admin\fnd2So.exe
MD5
7da8b4001777c09fac01f6d5401706e7

SHA1
94d936a8ab33ad3eb2aa536cfe16d733b8275d33

SHA256
e88cd272e8c4edb52f30b28bd1466b8176337a146c7ed215c1713bfc279b1487

SHA512
e2bef1be7326ff62edec028953b1134051f962744b8ac718ce1bdb96acfe75ae381fda290a9c5f7009ce68bc20b8262944d9ef5c3cfc2f7948df249f14e47870

Download Submit
C:\Users\Admin\fnd2So.exe
MD5
7da8b4001777c09fac01f6d5401706e7

SHA1
94d936a8ab33ad3eb2aa536cfe16d733b8275d33

SHA256
e88cd272e8c4edb52f30b28bd1466b8176337a146c7ed215c1713bfc279b1487

SHA512
e2bef1be7326ff62edec028953b1134051f962744b8ac718ce1bdb96acfe75ae381fda290a9c5f7009ce68bc20b8262944d9ef5c3cfc2f7948df249f14e47870

Download Submit
C:\Users\Admin\fnd2So.exe
MD5
7da8b4001777c09fac01f6d5401706e7

SHA1
94d936a8ab33ad3eb2aa536cfe16d733b8275d33

SHA256
e88cd272e8c4edb52f30b28bd1466b8176337a146c7ed215c1713bfc279b1487

SHA512
e2bef1be7326ff62edec028953b1134051f962744b8ac718ce1bdb96acfe75ae381fda290a9c5f7009ce68bc20b8262944d9ef5c3cfc2f7948df249f14e47870

Download Submit
memory/1000-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1000-23-0x0000000004C51000-0x0000000004C52000-memory.dmp

Filesize
4KB

Download
memory/1000-22-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1000-20-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1000-19-0x0000000072D60000-0x000000007344E000-memory.dmp

Filesize
6.9MB

Download
memory/1000-17-0x000000000043764E-mapping.dmp

Download
memory/1336-3-0x0000000002230000-0x00000000024A0000-memory.dmp

Filesize
2.4MB

Download
memory/1336-2-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download
memory/1704-8-0x0000000000000000-mapping.dmp

Download
memory/1704-9-0x0000000075DE1000-0x0000000075DE3000-memory.dmp

Filesize
8KB

Download
memory/1960-15-0x0000000004910000-0x000000000497A000-memory.dmp

Filesize
424KB

Download
memory/1960-14-0x0000000000410000-0x0000000000413000-memory.dmp

Filesize
12KB

Download
memory/1960-13-0x0000000007210000-0x0000000007211000-memory.dmp

Filesize
4KB

Download
memory/1960-10-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/1960-7-0x0000000072D60000-0x000000007344E000-memory.dmp

Filesize
6.9MB

Download
memory/1960-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing