agenttesla | 4b42e00e660b8642f39a05d3b054ee060274b88fb11cb15f2e97b27daaac9efd

General

Target

EQUIPMENT MATERAILS NEEDED.exe
Size

765KB
MD5

39c394bba15fb14020e2d939ba91d957
SHA1

db372cb164a8b984a9939058f024e901cbe00f81
SHA256

4b42e00e660b8642f39a05d3b054ee060274b88fb11cb15f2e97b27daaac9efd
SHA512

f137fc9b1319dfac598123591fa74bcb6a46598ef70302265ef683e77e3ec6e70fdba463d4ddfaa2cb19e4670ffd9c05e2c35bdbde2ce8229553ec61c191c845

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.twu-info.us
Port:
587
Username:
[email protected]
Password:
L@ywYdM6

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/564-8-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/564-9-0x000000000043759E-mapping.dmp	family_agenttesla
behavioral1/memory/564-11-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EQUIPMENT MATERAILS NEEDED.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\eCwYM = "C:\\Users\\Admin\\AppData\\Roaming\\eCwYM\\eCwYM.exe"	EQUIPMENT MATERAILS NEEDED.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

EQUIPMENT MATERAILS NEEDED.exe

description pid process target process

PID 1684 set thread context of 564 1684 EQUIPMENT MATERAILS NEEDED.exe EQUIPMENT MATERAILS NEEDED.exe

description	pid	process	target process
PID 1684 set thread context of 564	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

EQUIPMENT MATERAILS NEEDED.exeEQUIPMENT MATERAILS NEEDED.exe

pid	process
1684	EQUIPMENT MATERAILS NEEDED.exe
1684	EQUIPMENT MATERAILS NEEDED.exe
1684	EQUIPMENT MATERAILS NEEDED.exe
564	EQUIPMENT MATERAILS NEEDED.exe
564	EQUIPMENT MATERAILS NEEDED.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

EQUIPMENT MATERAILS NEEDED.exeEQUIPMENT MATERAILS NEEDED.exe

description pid process

Token: SeDebugPrivilege 1684 EQUIPMENT MATERAILS NEEDED.exe
Token: SeDebugPrivilege 564 EQUIPMENT MATERAILS NEEDED.exe

description	pid	process
Token: SeDebugPrivilege	1684	EQUIPMENT MATERAILS NEEDED.exe
Token: SeDebugPrivilege	564	EQUIPMENT MATERAILS NEEDED.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQUIPMENT MATERAILS NEEDED.exe

C:\Users\Admin\AppData\Local\Temp\EQUIPMENT MATERAILS NEEDED.exe
"C:\Users\Admin\AppData\Local\Temp\EQUIPMENT MATERAILS NEEDED.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\EQUIPMENT MATERAILS NEEDED.exe
"C:\Users\Admin\AppData\Local\Temp\EQUIPMENT MATERAILS NEEDED.exe"
2⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\EQUIPMENT MATERAILS NEEDED.exe
"C:\Users\Admin\AppData\Local\Temp\EQUIPMENT MATERAILS NEEDED.exe"
2⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\EQUIPMENT MATERAILS NEEDED.exe
"C:\Users\Admin\AppData\Local\Temp\EQUIPMENT MATERAILS NEEDED.exe"
2⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\EQUIPMENT MATERAILS NEEDED.exe
"C:\Users\Admin\AppData\Local\Temp\EQUIPMENT MATERAILS NEEDED.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/564-9-0x000000000043759E-mapping.dmp

Download
memory/564-10-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/564-11-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/564-13-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/1684-2-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/1684-3-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1684-5-0x0000000000360000-0x0000000000363000-memory.dmp

Filesize
12KB

Download
memory/1684-6-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1684-7-0x0000000004760000-0x00000000047BC000-memory.dmp

Filesize
368KB

Download

description	pid	process	target process
PID 1684 wrote to memory of 1748	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 1748	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 1748	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 1748	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 400	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 400	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 400	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 400	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 1216	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 1216	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 1216	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 1216	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 564	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 564	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 564	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 564	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 564	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 564	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 564	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 564	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe
PID 1684 wrote to memory of 564	1684	EQUIPMENT MATERAILS NEEDED.exe	EQUIPMENT MATERAILS NEEDED.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads