agenttesla | d8453b3e4363f9154458b927cdf398ce8f792a61cd0eaa387a535802bff24179

General

Target

Transfer Confirmation.exe
Size

617KB
MD5

4933039c07233e307f6a8ee44229f81b
SHA1

e0f164c88ead46da499516596adb16bde31b3243
SHA256

1c8ee9c80b54c9a2f245d2e98ce8d25702becbc6584135c4278169d406016dd8
SHA512

6072234ed2ee6c19e45ccc61dc52e730cbfd568a78ad2e11eae4714c34e95894b8fe93eabcb8c2ad1cc1e3b45a5e0326d393418dce0df7c39b4baa0289a94d7c

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
K$pbkEK0

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1960-65-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1960-64-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1960-66-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1960-67-0x0000000000446DFE-mapping.dmp	family_agenttesla
behavioral1/memory/1960-69-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/1960-71-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Transfer Confirmation.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Transfer Confirmation.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Transfer Confirmation.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Transfer Confirmation.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Transfer Confirmation.exe

description pid process target process

PID 916 set thread context of 1960 916 Transfer Confirmation.exe Transfer Confirmation.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1692 schtasks.exe

description	pid	process	target process
PID 916 set thread context of 1960	916	Transfer Confirmation.exe	Transfer Confirmation.exe

pid	process
1692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Transfer Confirmation.exeTransfer Confirmation.exe

pid	process
916	Transfer Confirmation.exe
916	Transfer Confirmation.exe
916	Transfer Confirmation.exe
1960	Transfer Confirmation.exe
1960	Transfer Confirmation.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Transfer Confirmation.exeTransfer Confirmation.exe

description pid process

Token: SeDebugPrivilege 916 Transfer Confirmation.exe
Token: SeDebugPrivilege 1960 Transfer Confirmation.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Transfer Confirmation.exe

pid process

1960 Transfer Confirmation.exe

description	pid	process
Token: SeDebugPrivilege	916	Transfer Confirmation.exe
Token: SeDebugPrivilege	1960	Transfer Confirmation.exe

pid	process
1960	Transfer Confirmation.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Transfer Confirmation.exe

description	pid	process	target process
PID 916 wrote to memory of 1692	916	Transfer Confirmation.exe	schtasks.exe
PID 916 wrote to memory of 1692	916	Transfer Confirmation.exe	schtasks.exe
PID 916 wrote to memory of 1692	916	Transfer Confirmation.exe	schtasks.exe
PID 916 wrote to memory of 1692	916	Transfer Confirmation.exe	schtasks.exe
PID 916 wrote to memory of 1616	916	Transfer Confirmation.exe	Transfer Confirmation.exe
PID 916 wrote to memory of 1616	916	Transfer Confirmation.exe	Transfer Confirmation.exe
PID 916 wrote to memory of 1616	916	Transfer Confirmation.exe	Transfer Confirmation.exe
PID 916 wrote to memory of 1616	916	Transfer Confirmation.exe	Transfer Confirmation.exe
PID 916 wrote to memory of 1960	916	Transfer Confirmation.exe	Transfer Confirmation.exe
PID 916 wrote to memory of 1960	916	Transfer Confirmation.exe	Transfer Confirmation.exe
PID 916 wrote to memory of 1960	916	Transfer Confirmation.exe	Transfer Confirmation.exe
PID 916 wrote to memory of 1960	916	Transfer Confirmation.exe	Transfer Confirmation.exe
PID 916 wrote to memory of 1960	916	Transfer Confirmation.exe	Transfer Confirmation.exe
PID 916 wrote to memory of 1960	916	Transfer Confirmation.exe	Transfer Confirmation.exe
PID 916 wrote to memory of 1960	916	Transfer Confirmation.exe	Transfer Confirmation.exe
PID 916 wrote to memory of 1960	916	Transfer Confirmation.exe	Transfer Confirmation.exe
PID 916 wrote to memory of 1960	916	Transfer Confirmation.exe	Transfer Confirmation.exe

outlook_office_path 1 IoCs

Processes:

Transfer Confirmation.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Transfer Confirmation.exe

outlook_win_path 1 IoCs

Processes:

Transfer Confirmation.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Transfer Confirmation.exe

C:\Users\Admin\AppData\Local\Temp\Transfer Confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\Transfer Confirmation.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ekPvgdvGqRbZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD634.tmp"
2⤵
- Creates scheduled task(s)
PID:1692

C:\Users\Admin\AppData\Local\Temp\Transfer Confirmation.exe
"{path}"
2⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\Transfer Confirmation.exe
"{path}"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD634.tmp

Filesize
1KB

MD5
2967455727c7d96c3837c7e2ae25dccf

SHA1
a8b6b0e1cb27b7b6818c85f26f588a6e3de2a216

SHA256
e49d27b8c91b78fbaa4c1cb3d3d3ad166541894032aff91cfb1b39043e48b569

SHA512
a974cb8a239c8034ab7455a1f76d8d92b6511e6343da322f65620f225b5fbec569ccb0b5f688fd1af8f1a84df5ad0e712d22aa603b43bcc251cc79f2bf563b7d

Download Submit
memory/916-57-0x0000000005520000-0x00000000055B4000-memory.dmp

Filesize
592KB

Download
memory/916-56-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/916-54-0x0000000000120000-0x00000000001C0000-memory.dmp

Filesize
640KB

Download
memory/916-58-0x00000000059B0000-0x0000000005A2C000-memory.dmp

Filesize
496KB

Download
memory/916-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1692-59-0x0000000000000000-mapping.dmp

Download
memory/1960-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1960-61-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1960-65-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1960-64-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1960-66-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1960-67-0x0000000000446DFE-mapping.dmp

Download
memory/1960-69-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1960-71-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads