agenttesla | bd89f6e2794f0c383ca15b99c53a28d6b527be58ec713efcafff4f0db21959f9

General

Target

DINTEC Order 28012021.exe
Size

1.1MB
MD5

16a00e358736ae0bf135aec278aee516
SHA1

e23a6de31dcefda3d84fcd8b0122f33c1a726249
SHA256

bd89f6e2794f0c383ca15b99c53a28d6b527be58ec713efcafff4f0db21959f9
SHA512

62818848086b033eed1d1f43a133ae66e6da4d23b3d99b32ab5410d33f52f978c12ab84d231b461fd4249f086ce955c0a3d67d5eec325a9dd4c3ad7667f9a27a

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.vivaldi.net
Port:
587
Username:
[email protected]
Password:
Grace@331011Thinck

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4328-13-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/4328-14-0x000000000043752E-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

DINTEC Order 28012021.exe

description pid process target process

PID 4760 set thread context of 4328 4760 DINTEC Order 28012021.exe DINTEC Order 28012021.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DINTEC Order 28012021.exe

pid process

4328 DINTEC Order 28012021.exe
4328 DINTEC Order 28012021.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DINTEC Order 28012021.exe

description pid process

Token: SeDebugPrivilege 4328 DINTEC Order 28012021.exe

description	pid	process	target process
PID 4760 set thread context of 4328	4760	DINTEC Order 28012021.exe	DINTEC Order 28012021.exe

pid	process
4328	DINTEC Order 28012021.exe
4328	DINTEC Order 28012021.exe

description	pid	process
Token: SeDebugPrivilege	4328	DINTEC Order 28012021.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

DINTEC Order 28012021.exe

description	pid	process	target process
PID 4760 wrote to memory of 4328	4760	DINTEC Order 28012021.exe	DINTEC Order 28012021.exe
PID 4760 wrote to memory of 4328	4760	DINTEC Order 28012021.exe	DINTEC Order 28012021.exe
PID 4760 wrote to memory of 4328	4760	DINTEC Order 28012021.exe	DINTEC Order 28012021.exe
PID 4760 wrote to memory of 4328	4760	DINTEC Order 28012021.exe	DINTEC Order 28012021.exe
PID 4760 wrote to memory of 4328	4760	DINTEC Order 28012021.exe	DINTEC Order 28012021.exe
PID 4760 wrote to memory of 4328	4760	DINTEC Order 28012021.exe	DINTEC Order 28012021.exe
PID 4760 wrote to memory of 4328	4760	DINTEC Order 28012021.exe	DINTEC Order 28012021.exe
PID 4760 wrote to memory of 4328	4760	DINTEC Order 28012021.exe	DINTEC Order 28012021.exe

C:\Users\Admin\AppData\Local\Temp\DINTEC Order 28012021.exe
"C:\Users\Admin\AppData\Local\Temp\DINTEC Order 28012021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\DINTEC Order 28012021.exe
"C:\Users\Admin\AppData\Local\Temp\DINTEC Order 28012021.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DINTEC Order 28012021.exe.log

MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
memory/4328-13-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4328-26-0x0000000001371000-0x0000000001372000-memory.dmp

Filesize
4KB

Download
memory/4328-23-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/4328-22-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/4328-21-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/4328-16-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4328-14-0x000000000043752E-mapping.dmp

Download
memory/4760-7-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/4760-12-0x0000000006710000-0x00000000067B1000-memory.dmp

Filesize
644KB

Download
memory/4760-11-0x0000000005930000-0x0000000005933000-memory.dmp

Filesize
12KB

Download
memory/4760-10-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/4760-9-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/4760-8-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/4760-2-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4760-6-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

Filesize
4KB

Download
memory/4760-5-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/4760-3-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing