agenttesla | 1452321ac76d7b39e67e4b280bef74311bd00eb614c2e7f97a033649ccbd4115

General

Target

198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
Size

723KB
MD5

6fc7cb62d3c44b6d28afbfa537c9bcbc
SHA1

d4105ddb2fe2051287525c3652470d40dae6f73d
SHA256

198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df
SHA512

005ebc963720d47a1812f60a50d9bdf99fb53aa7fcd06650074235c48d276d02a4a0894492e37867d9cba1c0841b4c08d83f724082245bd3e3c55a1c9f41fda5

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.campingcubillas.com
Port:
587
Username:
desire@campingcubillas.com
Password:
bkn27o425xp2

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1524-125-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1524-126-0x000000000043764E-mapping.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe

description	pid	process	target process
PID 2016 set thread context of 1524	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe

pid	process
2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
1524	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
1524	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe

description	pid	process
Token: SeDebugPrivilege	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
Token: SeDebugPrivilege	1524	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe

C:\Users\Admin\AppData\Local\Temp\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
"C:\Users\Admin\AppData\Local\Temp\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
"C:\Users\Admin\AppData\Local\Temp\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe"
2⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
"C:\Users\Admin\AppData\Local\Temp\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe"
2⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
"C:\Users\Admin\AppData\Local\Temp\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe"
2⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
"C:\Users\Admin\AppData\Local\Temp\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe"
2⤵
PID:3952

C:\Users\Admin\AppData\Local\Temp\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
"C:\Users\Admin\AppData\Local\Temp\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
memory/1524-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1524-137-0x0000000005001000-0x0000000005002000-memory.dmp

Filesize
4KB

Download
memory/1524-134-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/1524-133-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/1524-132-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/1524-126-0x000000000043764E-mapping.dmp

Download
memory/2016-119-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/2016-123-0x0000000006A10000-0x0000000006AAE000-memory.dmp

Filesize
632KB

Download
memory/2016-124-0x0000000006AB0000-0x0000000006B2F000-memory.dmp

Filesize
508KB

Download
memory/2016-122-0x0000000004B60000-0x000000000505E000-memory.dmp

Filesize
5.0MB

Download
memory/2016-121-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/2016-120-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2016-114-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2016-118-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/2016-117-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2016-116-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 2016 wrote to memory of 2664	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 2664	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 2664	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 2716	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 2716	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 2716	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 3144	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 3144	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 3144	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 3952	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 3952	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 3952	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 1524	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 1524	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 1524	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 1524	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 1524	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 1524	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 1524	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe
PID 2016 wrote to memory of 1524	2016	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe	198af255a94829adaf3922f0c123e0378c73607d044ada3eb86af5a7358129df.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads