agenttesla | b141faddbcb0caebf4aee4b27128609d2a254719da84371a64867bb3ef27be3a

General

Target

DOCUMENT No. 4 & 5.exe
Size

543KB
MD5

83600f4b738720bfdd0f0a65d3398a79
SHA1

ac1e74674eee3c0249c9bedfe041c90bd83327f5
SHA256

c5f0b11cba973a4b098ef858ae755ef0e6353296ae998503eafb3a67fa21d1c0
SHA512

35e767959b6deb51323414f1875aac16d1b68d79c87eb834fd0bfd6ca4d5165d35dbc7b6dab2b57cff1d70fde0fd6d6fb9878983b95cd21961378b2a5511502e

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.scahe.co.in
Port:
587
Username:
[email protected]
Password:
scaheavy@12345

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1280-57-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1280-58-0x000000000040188B-mapping.dmp	family_agenttesla
behavioral1/memory/1280-60-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1280-61-0x0000000001F10000-0x0000000001F47000-memory.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

Processes:

DOCUMENT No. 4 & 5.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts DOCUMENT No. 4 & 5.exe
Loads dropped DLL 1 IoCs

Processes:

DOCUMENT No. 4 & 5.exe

pid process

472 DOCUMENT No. 4 & 5.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DOCUMENT No. 4 & 5.exe

pid	process
472	DOCUMENT No. 4 & 5.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

DOCUMENT No. 4 & 5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DOCUMENT No. 4 & 5.exe
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DOCUMENT No. 4 & 5.exe
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DOCUMENT No. 4 & 5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DOCUMENT No. 4 & 5.exe

description pid process target process

PID 472 set thread context of 1280 472 DOCUMENT No. 4 & 5.exe DOCUMENT No. 4 & 5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DOCUMENT No. 4 & 5.exe

pid process

1280 DOCUMENT No. 4 & 5.exe
1280 DOCUMENT No. 4 & 5.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DOCUMENT No. 4 & 5.exe

description pid process

Token: SeDebugPrivilege 1280 DOCUMENT No. 4 & 5.exe

description	pid	process	target process
PID 472 set thread context of 1280	472	DOCUMENT No. 4 & 5.exe	DOCUMENT No. 4 & 5.exe

pid	process
1280	DOCUMENT No. 4 & 5.exe
1280	DOCUMENT No. 4 & 5.exe

description	pid	process
Token: SeDebugPrivilege	1280	DOCUMENT No. 4 & 5.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

DOCUMENT No. 4 & 5.exe

description	pid	process	target process
PID 472 wrote to memory of 1280	472	DOCUMENT No. 4 & 5.exe	DOCUMENT No. 4 & 5.exe
PID 472 wrote to memory of 1280	472	DOCUMENT No. 4 & 5.exe	DOCUMENT No. 4 & 5.exe
PID 472 wrote to memory of 1280	472	DOCUMENT No. 4 & 5.exe	DOCUMENT No. 4 & 5.exe
PID 472 wrote to memory of 1280	472	DOCUMENT No. 4 & 5.exe	DOCUMENT No. 4 & 5.exe
PID 472 wrote to memory of 1280	472	DOCUMENT No. 4 & 5.exe	DOCUMENT No. 4 & 5.exe
PID 472 wrote to memory of 1280	472	DOCUMENT No. 4 & 5.exe	DOCUMENT No. 4 & 5.exe
PID 472 wrote to memory of 1280	472	DOCUMENT No. 4 & 5.exe	DOCUMENT No. 4 & 5.exe
PID 472 wrote to memory of 1280	472	DOCUMENT No. 4 & 5.exe	DOCUMENT No. 4 & 5.exe
PID 472 wrote to memory of 1280	472	DOCUMENT No. 4 & 5.exe	DOCUMENT No. 4 & 5.exe
PID 472 wrote to memory of 1280	472	DOCUMENT No. 4 & 5.exe	DOCUMENT No. 4 & 5.exe
PID 472 wrote to memory of 1280	472	DOCUMENT No. 4 & 5.exe	DOCUMENT No. 4 & 5.exe

outlook_office_path 1 IoCs

Processes:

DOCUMENT No. 4 & 5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DOCUMENT No. 4 & 5.exe

outlook_win_path 1 IoCs

Processes:

DOCUMENT No. 4 & 5.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DOCUMENT No. 4 & 5.exe

C:\Users\Admin\AppData\Local\Temp\DOCUMENT No. 4 & 5.exe
"C:\Users\Admin\AppData\Local\Temp\DOCUMENT No. 4 & 5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:472

C:\Users\Admin\AppData\Local\Temp\DOCUMENT No. 4 & 5.exe
"C:\Users\Admin\AppData\Local\Temp\DOCUMENT No. 4 & 5.exe"
2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1280

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsiF789.tmp\gdhcrgo.dll
MD5
a0d89d8edb86db24831ea85b7a3c5dbb

SHA1
359fe728bef83a0ea27458ad4411c2e147a1069f

SHA256
8c6b8c843d3a4959c502d55be98e60729480401e20a7515e779fbf78edfc79a7

SHA512
1de3200778c3606c4ad15ae1f1137842e0aa6f268eac24cb3c7821e9f4cccddbf08a2157430cf8a64a8567c8c16a01b5a24ea4b66d8e6e289e5531a121e987ec

Download Submit
memory/472-55-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1280-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1280-58-0x000000000040188B-mapping.dmp

Download
memory/1280-60-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1280-61-0x0000000001F10000-0x0000000001F47000-memory.dmp

Filesize
220KB

Download
memory/1280-64-0x00000000044F2000-0x00000000044F3000-memory.dmp

Filesize
4KB

Download
memory/1280-63-0x00000000044F1000-0x00000000044F2000-memory.dmp

Filesize
4KB

Download
memory/1280-65-0x00000000044F3000-0x00000000044F4000-memory.dmp

Filesize
4KB

Download
memory/1280-66-0x00000000044F4000-0x00000000044F5000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads