agenttesla | 31ead0a4244133d6fb9387ff1490db83b9fd2dd6666fcd2897c4b1e72c5bf665

General

Target

TRANSFER SLIP.exe
Size

488KB
MD5

7013a024b99d8e32f3559117f3a89b9d
SHA1

d0eb94f6f86631be9a82a77508acd8bcf66941b9
SHA256

31ead0a4244133d6fb9387ff1490db83b9fd2dd6666fcd2897c4b1e72c5bf665
SHA512

2f37a1dc97e2a9eefd0b87c8dfa6ab34dcbe61bff9bc5ea351a46c399e230132166ed231910d32178fc96162d5033dfc8373c553de564ec221543a5009df4cf4

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.framafilms.com
Port:
587
Username:
[email protected]
Password:
lister11

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1468-131-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/1468-132-0x00000000004374AE-mapping.dmp	family_agenttesla
behavioral2/memory/1468-138-0x0000000005510000-0x0000000005A0E000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

TRANSFER SLIP.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TRANSFER SLIP.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TRANSFER SLIP.exe
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TRANSFER SLIP.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

TRANSFER SLIP.exe

description pid process target process

PID 2376 set thread context of 1468 2376 TRANSFER SLIP.exe TRANSFER SLIP.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3932 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

TRANSFER SLIP.exeTRANSFER SLIP.exe

pid process

2376 TRANSFER SLIP.exe
1468 TRANSFER SLIP.exe
1468 TRANSFER SLIP.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TRANSFER SLIP.exeTRANSFER SLIP.exe

description pid process

Token: SeDebugPrivilege 2376 TRANSFER SLIP.exe
Token: SeDebugPrivilege 1468 TRANSFER SLIP.exe

description	pid	process	target process
PID 2376 set thread context of 1468	2376	TRANSFER SLIP.exe	TRANSFER SLIP.exe

pid	process
3932	schtasks.exe

pid	process
2376	TRANSFER SLIP.exe
1468	TRANSFER SLIP.exe
1468	TRANSFER SLIP.exe

description	pid	process
Token: SeDebugPrivilege	2376	TRANSFER SLIP.exe
Token: SeDebugPrivilege	1468	TRANSFER SLIP.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

TRANSFER SLIP.exe

description	pid	process	target process
PID 2376 wrote to memory of 3932	2376	TRANSFER SLIP.exe	schtasks.exe
PID 2376 wrote to memory of 3932	2376	TRANSFER SLIP.exe	schtasks.exe
PID 2376 wrote to memory of 3932	2376	TRANSFER SLIP.exe	schtasks.exe
PID 2376 wrote to memory of 1468	2376	TRANSFER SLIP.exe	TRANSFER SLIP.exe
PID 2376 wrote to memory of 1468	2376	TRANSFER SLIP.exe	TRANSFER SLIP.exe
PID 2376 wrote to memory of 1468	2376	TRANSFER SLIP.exe	TRANSFER SLIP.exe
PID 2376 wrote to memory of 1468	2376	TRANSFER SLIP.exe	TRANSFER SLIP.exe
PID 2376 wrote to memory of 1468	2376	TRANSFER SLIP.exe	TRANSFER SLIP.exe
PID 2376 wrote to memory of 1468	2376	TRANSFER SLIP.exe	TRANSFER SLIP.exe
PID 2376 wrote to memory of 1468	2376	TRANSFER SLIP.exe	TRANSFER SLIP.exe
PID 2376 wrote to memory of 1468	2376	TRANSFER SLIP.exe	TRANSFER SLIP.exe

outlook_office_path 1 IoCs

Processes:

TRANSFER SLIP.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TRANSFER SLIP.exe

outlook_win_path 1 IoCs

Processes:

TRANSFER SLIP.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	TRANSFER SLIP.exe

C:\Users\Admin\AppData\Local\Temp\TRANSFER SLIP.exe
"C:\Users\Admin\AppData\Local\Temp\TRANSFER SLIP.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yvaSBtNNzYqZUt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2BCF.tmp"
2⤵
- Creates scheduled task(s)
PID:3932

C:\Users\Admin\AppData\Local\Temp\TRANSFER SLIP.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TRANSFER SLIP.exe.log

MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BCF.tmp

MD5
028b41056b65db43907f353520b14689

SHA1
7ffdb47676abc5b15a497ed3bd254cdf15f851c8

SHA256
76eb01974bed5df2ee4520836261354d54ccfd35251d05ec4dc290b6dc422f7b

SHA512
25a034e5a822b4479797282d8b09d92d261b48a3979f18e94a7131c661719b63c5f75d9ccbe7b93f7aed58560d6e2830bc807a77483ad5efad26207154edde53

Download Submit
memory/1468-143-0x0000000005510000-0x0000000005A0E000-memory.dmp

Filesize
5.0MB

Download
memory/1468-140-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/1468-139-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1468-138-0x0000000005510000-0x0000000005A0E000-memory.dmp

Filesize
5.0MB

Download
memory/1468-132-0x00000000004374AE-mapping.dmp

Download
memory/1468-131-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2376-123-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/2376-128-0x0000000009970000-0x00000000099A8000-memory.dmp

Filesize
224KB

Download
memory/2376-127-0x0000000007320000-0x000000000739D000-memory.dmp

Filesize
500KB

Download
memory/2376-126-0x00000000050C0000-0x00000000055BE000-memory.dmp

Filesize
5.0MB

Download
memory/2376-125-0x0000000005420000-0x0000000005425000-memory.dmp

Filesize
20KB

Download
memory/2376-124-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/2376-118-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2376-122-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2376-121-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/2376-120-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/3932-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads