agenttesla | 0fba63de28c93fd00593e1b906f7a78e197d3392ed24fc4e4d24c8405d11bab7

General

Target

SWIFT CONFIRMATION.exe
Size

736KB
MD5

56a49812b0b2214950f241aeec86fa55
SHA1

c33b64a409a9fdb32555e14ef57290afa3942710
SHA256

0fba63de28c93fd00593e1b906f7a78e197d3392ed24fc4e4d24c8405d11bab7
SHA512

6dac655ca3266b4444c4a739aeeda622db8581b5673f2ce4f05a81e9b5e4083fe708343b66df0575653f414d7b6d7d3ca3249a4a78321fe4810e1ce2cea18ff5

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.saisianket-tech.com
Port:
587
Username:
akibapen@saisianket-tech.com
Password:
donblack12345

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3412-124-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3412-125-0x00000000004365AE-mapping.dmp	family_agenttesla
behavioral2/memory/3412-131-0x0000000004DB0000-0x00000000052AE000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

Processes:

SWIFT CONFIRMATION.exe

description pid process target process

PID 3900 set thread context of 3412 3900 SWIFT CONFIRMATION.exe SWIFT CONFIRMATION.exe

description	pid	process	target process
PID 3900 set thread context of 3412	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SWIFT CONFIRMATION.exeSWIFT CONFIRMATION.exe

pid	process
3900	SWIFT CONFIRMATION.exe
3900	SWIFT CONFIRMATION.exe
3900	SWIFT CONFIRMATION.exe
3900	SWIFT CONFIRMATION.exe
3412	SWIFT CONFIRMATION.exe
3412	SWIFT CONFIRMATION.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SWIFT CONFIRMATION.exeSWIFT CONFIRMATION.exe

description pid process

Token: SeDebugPrivilege 3900 SWIFT CONFIRMATION.exe
Token: SeDebugPrivilege 3412 SWIFT CONFIRMATION.exe

description	pid	process
Token: SeDebugPrivilege	3900	SWIFT CONFIRMATION.exe
Token: SeDebugPrivilege	3412	SWIFT CONFIRMATION.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SWIFT CONFIRMATION.exe

description	pid	process	target process
PID 3900 wrote to memory of 3428	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3428	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3428	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3388	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3388	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3388	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3412	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3412	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3412	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3412	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3412	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3412	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3412	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe
PID 3900 wrote to memory of 3412	3900	SWIFT CONFIRMATION.exe	SWIFT CONFIRMATION.exe

C:\Users\Admin\AppData\Local\Temp\SWIFT CONFIRMATION.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT CONFIRMATION.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\SWIFT CONFIRMATION.exe
"{path}"
2⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\SWIFT CONFIRMATION.exe
"{path}"
2⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\SWIFT CONFIRMATION.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT CONFIRMATION.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
memory/3412-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3412-133-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/3412-132-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/3412-131-0x0000000004DB0000-0x00000000052AE000-memory.dmp

Filesize
5.0MB

Download
memory/3412-125-0x00000000004365AE-mapping.dmp

Download
memory/3900-118-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3900-122-0x0000000007730000-0x00000000077E8000-memory.dmp

Filesize
736KB

Download
memory/3900-123-0x0000000009ED0000-0x0000000009F43000-memory.dmp

Filesize
460KB

Download
memory/3900-121-0x00000000050B0000-0x00000000055AE000-memory.dmp

Filesize
5.0MB

Download
memory/3900-120-0x0000000007090000-0x0000000007092000-memory.dmp

Filesize
8KB

Download
memory/3900-119-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/3900-114-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3900-117-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/3900-116-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads