agenttesla | 46dd53f3096877a4cad89b77f2d23018d8bc5887a9c0d699cb43ffe9d0b5e29d

General

Target

documentos Fedex.js
Size

1KB
MD5

42a82a614937b74596344fa2a1a7c737
SHA1

c13081e8eba34ca1619f7e8a11e2e8677878d292
SHA256

46dd53f3096877a4cad89b77f2d23018d8bc5887a9c0d699cb43ffe9d0b5e29d
SHA512

a9841b2fb08bc50a6476d366d5f8a44e1dec00d541f81e2a5829a09221313efe535470d06b0c5aa5c4d3beb3c4c18a72f96cfab329e88e66b39ce416ad7bc601

Score

10^/10

agenttesla collection keylogger spyware stealer suricata trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4076-122-0x00000000020D0000-0x000000000211E000-memory.dmp	family_agenttesla
behavioral2/memory/4076-124-0x0000000004AB0000-0x0000000004AFE000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

7 3620 wscript.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

rt.exert.exe

pid process

4024 rt.exe
4076 rt.exe
Loads dropped DLL 1 IoCs

Processes:

rt.exe

pid process

4024 rt.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
7	3620	wscript.exe

pid	process
4024	rt.exe
4076	rt.exe

pid	process
4024	rt.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

rt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rt.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rt.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rt.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rt.exe

description pid process target process

PID 4024 set thread context of 4076 4024 rt.exe rt.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 4024 set thread context of 4076	4024	rt.exe	rt.exe

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\rt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\rt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\rt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\rt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\rt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\rt.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rt.exe

pid process

4076 rt.exe
4076 rt.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rt.exe

description pid process

Token: SeDebugPrivilege 4076 rt.exe

pid	process
4076	rt.exe
4076	rt.exe

description	pid	process
Token: SeDebugPrivilege	4076	rt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

wscript.exert.exe

description	pid	process	target process
PID 3620 wrote to memory of 4024	3620	wscript.exe	rt.exe
PID 3620 wrote to memory of 4024	3620	wscript.exe	rt.exe
PID 3620 wrote to memory of 4024	3620	wscript.exe	rt.exe
PID 4024 wrote to memory of 4076	4024	rt.exe	rt.exe
PID 4024 wrote to memory of 4076	4024	rt.exe	rt.exe
PID 4024 wrote to memory of 4076	4024	rt.exe	rt.exe
PID 4024 wrote to memory of 4076	4024	rt.exe	rt.exe
PID 4024 wrote to memory of 4076	4024	rt.exe	rt.exe
PID 4024 wrote to memory of 4076	4024	rt.exe	rt.exe
PID 4024 wrote to memory of 4076	4024	rt.exe	rt.exe
PID 4024 wrote to memory of 4076	4024	rt.exe	rt.exe
PID 4024 wrote to memory of 4076	4024	rt.exe	rt.exe

outlook_office_path 1 IoCs

Processes:

rt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rt.exe

outlook_win_path 1 IoCs

Processes:

rt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rt.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\documentos Fedex.js"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3620

C:\Users\Admin\AppData\Local\Temp\rt.exe
"C:\Users\Admin\AppData\Local\Temp\rt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\rt.exe
"C:\Users\Admin\AppData\Local\Temp\rt.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rt.exe
MD5
8fb7946d29d68860b8bc07fcf90fae8d

SHA1
390ebf3d4300d068beee34af09f0ff171e643e78

SHA256
032fa5601a6069aada31d048dd861f3e2a6c5630d34158e4675e4ad287d85416

SHA512
77bedc656bc27fe6da54f8f3c00b35abd87230885fe32421a80bcb5151d6fa7f3ce6dd5c2020315493cb735c52773df2a85e7624f95c246ff369ed09cda05347

Download Submit
C:\Users\Admin\AppData\Local\Temp\rt.exe
MD5
8fb7946d29d68860b8bc07fcf90fae8d

SHA1
390ebf3d4300d068beee34af09f0ff171e643e78

SHA256
032fa5601a6069aada31d048dd861f3e2a6c5630d34158e4675e4ad287d85416

SHA512
77bedc656bc27fe6da54f8f3c00b35abd87230885fe32421a80bcb5151d6fa7f3ce6dd5c2020315493cb735c52773df2a85e7624f95c246ff369ed09cda05347

Download Submit
C:\Users\Admin\AppData\Local\Temp\rt.exe
MD5
8fb7946d29d68860b8bc07fcf90fae8d

SHA1
390ebf3d4300d068beee34af09f0ff171e643e78

SHA256
032fa5601a6069aada31d048dd861f3e2a6c5630d34158e4675e4ad287d85416

SHA512
77bedc656bc27fe6da54f8f3c00b35abd87230885fe32421a80bcb5151d6fa7f3ce6dd5c2020315493cb735c52773df2a85e7624f95c246ff369ed09cda05347

Download Submit
\Users\Admin\AppData\Local\Temp\nso99D1.tmp\dtnl.dll
MD5
840e0f2e89ed8fbb85e6657332ff2fd1

SHA1
5f2464f068985b3330bcd2b3bc36b27a39663ffd

SHA256
0393ed607a76ba561647b127817608b71471c9f4a2c9ea9a9dac31be30b8e930

SHA512
1e2de2ed1589bf7524a2def8ed31606e94e6d93f3afd0f96eda12792d7180526ce16b500076b469e705d58190b324338ab2b28028aad3cead6e692842c3f8249

Download Submit
memory/4024-115-0x0000000000000000-mapping.dmp

Download
memory/4076-125-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4076-127-0x0000000004B12000-0x0000000004B13000-memory.dmp

Filesize
4KB

Download
memory/4076-122-0x00000000020D0000-0x000000000211E000-memory.dmp

Filesize
312KB

Download
memory/4076-123-0x0000000004B20000-0x000000000501E000-memory.dmp

Filesize
5.0MB

Download
memory/4076-124-0x0000000004AB0000-0x0000000004AFE000-memory.dmp

Filesize
312KB

Download
memory/4076-119-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4076-126-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/4076-120-0x000000000040CD2F-mapping.dmp

Download
memory/4076-128-0x0000000004B13000-0x0000000004B14000-memory.dmp

Filesize
4KB

Download
memory/4076-129-0x00000000050E0000-0x000000000517C000-memory.dmp

Filesize
624KB

Download
memory/4076-130-0x0000000004B14000-0x0000000004B16000-memory.dmp

Filesize
8KB

Download
memory/4076-131-0x0000000005790000-0x00000000057A8000-memory.dmp

Filesize
96KB

Download
memory/4076-132-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/4076-133-0x0000000005C60000-0x0000000005CF2000-memory.dmp

Filesize
584KB

Download
memory/4076-134-0x0000000005AB0000-0x0000000005ABA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads