agenttesla | 4f4b3dded538765e48f27d8bf0ef605572313a3f95f71f642daa53402abd8776

General

Target

EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
Size

635KB
MD5

ca9ce774706c2f1708af10d3da19be03
SHA1

059fc99b8d6ff50f997d7acb1a0ccf55cc776605
SHA256

4f4b3dded538765e48f27d8bf0ef605572313a3f95f71f642daa53402abd8776
SHA512

b351dbb0eae5871f7996a46d004862c824fdc6f23bfb06cff6b55f3662fc453e890e5af94c0b02cbf513228be27e39a5f13ccade69b5bd3de4149af1f34ed760

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://universalinks.net/
Port:
21
Username:
bring4@universalinks.net
Password:
{lafa{u^wEx8

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/688-67-0x000000000043775E-mapping.dmp	family_agenttesla
behavioral1/memory/688-66-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/688-68-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

Processes:

EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 1 IoCs

Processes:

EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe

description	pid	process	target process
PID 1072 set thread context of 688	1072	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe

pid	process
688	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
688	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe

description pid process

Token: SeDebugPrivilege 688 EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe

pid process

688 EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe

description	pid	process
Token: SeDebugPrivilege	688	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe

description	pid	process	target process
PID 1072 wrote to memory of 688	1072	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
PID 1072 wrote to memory of 688	1072	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
PID 1072 wrote to memory of 688	1072	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
PID 1072 wrote to memory of 688	1072	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
PID 1072 wrote to memory of 688	1072	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
PID 1072 wrote to memory of 688	1072	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
PID 1072 wrote to memory of 688	1072	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
PID 1072 wrote to memory of 688	1072	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
PID 1072 wrote to memory of 688	1072	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe	EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe

C:\Users\Admin\AppData\Local\Temp\EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
"C:\Users\Admin\AppData\Local\Temp\EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\EFINAL REVISED_INVOICE AND PACKING LIST FOR SHIPMENT Email no. M1053 dd. June 26, 2021.exe
"{path}"
2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:688

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/688-67-0x000000000043775E-mapping.dmp

Download
memory/688-66-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/688-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/688-70-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/688-71-0x0000000004A01000-0x0000000004A02000-memory.dmp

Filesize
4KB

Download
memory/1072-59-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/1072-61-0x0000000000AE0000-0x0000000000B39000-memory.dmp

Filesize
356KB

Download
memory/1072-62-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/1072-63-0x0000000000530000-0x0000000000532000-memory.dmp

Filesize
8KB

Download
memory/1072-64-0x0000000004CE0000-0x0000000004D5A000-memory.dmp

Filesize
488KB

Download
memory/1072-65-0x0000000000C10000-0x0000000000C48000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads