agenttesla | 2d4ab4633e5146174ae65cb1c14ffb8e4e2c104ef6607756366e38c29c8d344d

General

Target

2020819 MCHPLT.exe
Size

715KB
MD5

434bad3dddf2e21f14a918e7c52a00cd
SHA1

60f13b562b9768f85aed3f8510e3f8b906c2268b
SHA256

b745f8bc7dd3ee96edc308bcfbe51d0807a32a31be0a99b56a847d9df84cc200
SHA512

54e481ddd31cbccde5a6085523270c05dee2f90a0b00ca8e7b95b0c587ad69d4f154a05bad6b033126e64b129e670131e8483de4b9ee5c11dea4e48fa3be7d44

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.hybridgroupco.com
Port:
587
Username:
[email protected]
Password:
Obinna123@@@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1128-61-0x0000000000400000-0x0000000000466000-memory.dmp	family_agenttesla
behavioral1/memory/1128-62-0x0000000000400000-0x0000000000466000-memory.dmp	family_agenttesla
behavioral1/memory/1128-63-0x0000000000400000-0x0000000000466000-memory.dmp	family_agenttesla
behavioral1/memory/1128-64-0x000000000046141E-mapping.dmp	family_agenttesla
behavioral1/memory/1128-66-0x0000000000400000-0x0000000000466000-memory.dmp	family_agenttesla
behavioral1/memory/1128-68-0x0000000000400000-0x0000000000466000-memory.dmp	family_agenttesla

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

2020819 MCHPLT.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2020819 MCHPLT.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2020819 MCHPLT.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2020819 MCHPLT.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2020819 MCHPLT.exe

description pid process target process

PID 1512 set thread context of 1128 1512 2020819 MCHPLT.exe 2020819 MCHPLT.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

856 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

2020819 MCHPLT.exe2020819 MCHPLT.exe

pid process

1512 2020819 MCHPLT.exe
1128 2020819 MCHPLT.exe
1128 2020819 MCHPLT.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2020819 MCHPLT.exe2020819 MCHPLT.exe

description pid process

Token: SeDebugPrivilege 1512 2020819 MCHPLT.exe
Token: SeDebugPrivilege 1128 2020819 MCHPLT.exe

description	pid	process	target process
PID 1512 set thread context of 1128	1512	2020819 MCHPLT.exe	2020819 MCHPLT.exe

pid	process
856	schtasks.exe

pid	process
1512	2020819 MCHPLT.exe
1128	2020819 MCHPLT.exe
1128	2020819 MCHPLT.exe

description	pid	process
Token: SeDebugPrivilege	1512	2020819 MCHPLT.exe
Token: SeDebugPrivilege	1128	2020819 MCHPLT.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

2020819 MCHPLT.exe

description	pid	process	target process
PID 1512 wrote to memory of 856	1512	2020819 MCHPLT.exe	schtasks.exe
PID 1512 wrote to memory of 856	1512	2020819 MCHPLT.exe	schtasks.exe
PID 1512 wrote to memory of 856	1512	2020819 MCHPLT.exe	schtasks.exe
PID 1512 wrote to memory of 856	1512	2020819 MCHPLT.exe	schtasks.exe
PID 1512 wrote to memory of 1128	1512	2020819 MCHPLT.exe	2020819 MCHPLT.exe
PID 1512 wrote to memory of 1128	1512	2020819 MCHPLT.exe	2020819 MCHPLT.exe
PID 1512 wrote to memory of 1128	1512	2020819 MCHPLT.exe	2020819 MCHPLT.exe
PID 1512 wrote to memory of 1128	1512	2020819 MCHPLT.exe	2020819 MCHPLT.exe
PID 1512 wrote to memory of 1128	1512	2020819 MCHPLT.exe	2020819 MCHPLT.exe
PID 1512 wrote to memory of 1128	1512	2020819 MCHPLT.exe	2020819 MCHPLT.exe
PID 1512 wrote to memory of 1128	1512	2020819 MCHPLT.exe	2020819 MCHPLT.exe
PID 1512 wrote to memory of 1128	1512	2020819 MCHPLT.exe	2020819 MCHPLT.exe
PID 1512 wrote to memory of 1128	1512	2020819 MCHPLT.exe	2020819 MCHPLT.exe

outlook_office_path 1 IoCs

Processes:

2020819 MCHPLT.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2020819 MCHPLT.exe

outlook_win_path 1 IoCs

Processes:

2020819 MCHPLT.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2020819 MCHPLT.exe

C:\Users\Admin\AppData\Local\Temp\2020819 MCHPLT.exe
"C:\Users\Admin\AppData\Local\Temp\2020819 MCHPLT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OfrPSj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB701.tmp"
2⤵
- Creates scheduled task(s)
PID:856

C:\Users\Admin\AppData\Local\Temp\2020819 MCHPLT.exe
"C:\Users\Admin\AppData\Local\Temp\2020819 MCHPLT.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB701.tmp

Filesize
1KB

MD5
f34dbc7fa2f91576af8de5be5c9fefd5

SHA1
83417e73b4dc72978e824966353b5818b6711488

SHA256
86441c31d089e085b2c4ed3f14554d6dd2d2bd3ed3cdc3e0270fc3e9905491b0

SHA512
59bbaf8ec47aecb356dad6d09ec02035a564e9a4679bc22f96601737b7da98e37e0e6b67b2f1f78b88933dd7881a4f2f0c6a1ceeed8ca6d873bdcb08f755ce0d

Download Submit
memory/856-56-0x0000000000000000-mapping.dmp

Download
memory/1128-61-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1128-58-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1128-59-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1128-62-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1128-63-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1128-64-0x000000000046141E-mapping.dmp

Download
memory/1128-66-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1128-68-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1128-70-0x00000000745D0000-0x0000000074B7B000-memory.dmp

Filesize
5.7MB

Download
memory/1512-55-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/1512-54-0x0000000076421000-0x0000000076423000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads