agenttesla | 910a6e4138cb422bf570130f05cdb463d726c0eddb2882bdc6e42fb1daace384

General

Target

SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
Size

635KB
MD5

a27c8ee8b37605f3c05e4eb4d614f359
SHA1

6a8b97217d52a752075b08207bad7d7c867a8854
SHA256

910a6e4138cb422bf570130f05cdb463d726c0eddb2882bdc6e42fb1daace384
SHA512

769fe817c1616f80672a63ad8a8464c26aa4374e569343df04feab22a3a1193eac5f7eee5fb3afaa94ed28792da492659c2b02220f0197c1b89641a0d7f9f536

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.unitelha.com
Port:
21
Username:
kilop@unitelha.com
Password:
Wljp?j]gQwC?

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.unitelha.com/
Port:
21
Username:
kilop@unitelha.com
Password:
Wljp?j]gQwC?

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

description	pid	process	target process
PID 2868 set thread context of 944	2868	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.19723.exeSecuriteInfo.com.W32.AIDetectNet.01.19723.exe

pid	process
2868	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
2868	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
944	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
944	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.19723.exeSecuriteInfo.com.W32.AIDetectNet.01.19723.exe

description	pid	process
Token: SeDebugPrivilege	2868	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
Token: SeDebugPrivilege	944	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

description	pid	process	target process
PID 2868 wrote to memory of 944	2868	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
PID 2868 wrote to memory of 944	2868	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
PID 2868 wrote to memory of 944	2868	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
PID 2868 wrote to memory of 944	2868	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
PID 2868 wrote to memory of 944	2868	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
PID 2868 wrote to memory of 944	2868	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
PID 2868 wrote to memory of 944	2868	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
PID 2868 wrote to memory of 944	2868	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

outlook_office_path 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

outlook_win_path 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	SecuriteInfo.com.W32.AIDetectNet.01.19723.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Lateral Movement

Collection

Data from Local System

2

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.log
Filesize
2KB

MD5
960db1608204cb34c7b9b2450df672c4

SHA1
7ca01174a0a3071a07039f6726a39d984c1009f1

SHA256
2595725555bd9b12413f06eac7b936d99596ff0376002e3955c15eb8501fde1b

SHA512
fb29c873d9ef3481d0a3525288ad5b366eb00e38321dd962e4c39845aaacae0f8b69c695a47417376a9f6fa04c158638ed640752c46e8f0ce7bade31e203f4d3

Download Submit
memory/944-135-0x0000000000000000-mapping.dmp

Download
memory/944-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/944-138-0x00000000063B0000-0x0000000006400000-memory.dmp

Filesize
320KB

Download
memory/944-139-0x00000000068E0000-0x00000000068EA000-memory.dmp

Filesize
40KB

Download
memory/2868-130-0x0000000000E80000-0x0000000000F24000-memory.dmp

Filesize
656KB

Download
memory/2868-131-0x0000000005FB0000-0x0000000006554000-memory.dmp

Filesize
5.6MB

Download
memory/2868-132-0x0000000005AA0000-0x0000000005B32000-memory.dmp

Filesize
584KB

Download
memory/2868-133-0x0000000005DE0000-0x0000000005E7C000-memory.dmp

Filesize
624KB

Download
memory/2868-134-0x0000000006A20000-0x0000000006A86000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads