agenttesla | a0499bdaa5a2407579f7c1a6d60dd3b8fc393f338ed352acf92d0554b4a4e37d

General

Target

NEW_SHIP.exe
Size

673KB
MD5

4d1a801103d87a6bb9d3e26689ef8983
SHA1

58f798848e53c6d5377eedb384e015a18351e0c2
SHA256

a6cb21742488b2257cc39988ced61f7ef5be6d3eff506c10fbc265aa560e6bd4
SHA512

d0989590ae27c069c2b6edd044bf34d83c0712c4a230c229a78a85fd91c6ea45630ac1c3de6ed5c5dfcbc795c390e90f9d58aeec8762b7eea783089c436c42bb

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
VISION2020

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

NEW_SHIP.exe

description pid process target process

PID 1156 set thread context of 1724 1156 NEW_SHIP.exe NEW_SHIP.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

NEW_SHIP.exe

pid process

1724 NEW_SHIP.exe
1724 NEW_SHIP.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NEW_SHIP.exe

description pid process

Token: SeDebugPrivilege 1724 NEW_SHIP.exe

description	pid	process	target process
PID 1156 set thread context of 1724	1156	NEW_SHIP.exe	NEW_SHIP.exe

pid	process
1724	NEW_SHIP.exe
1724	NEW_SHIP.exe

description	pid	process
Token: SeDebugPrivilege	1724	NEW_SHIP.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

NEW_SHIP.exe

description	pid	process	target process
PID 1156 wrote to memory of 1724	1156	NEW_SHIP.exe	NEW_SHIP.exe
PID 1156 wrote to memory of 1724	1156	NEW_SHIP.exe	NEW_SHIP.exe
PID 1156 wrote to memory of 1724	1156	NEW_SHIP.exe	NEW_SHIP.exe
PID 1156 wrote to memory of 1724	1156	NEW_SHIP.exe	NEW_SHIP.exe
PID 1156 wrote to memory of 1724	1156	NEW_SHIP.exe	NEW_SHIP.exe
PID 1156 wrote to memory of 1724	1156	NEW_SHIP.exe	NEW_SHIP.exe
PID 1156 wrote to memory of 1724	1156	NEW_SHIP.exe	NEW_SHIP.exe
PID 1156 wrote to memory of 1724	1156	NEW_SHIP.exe	NEW_SHIP.exe
PID 1156 wrote to memory of 1724	1156	NEW_SHIP.exe	NEW_SHIP.exe
PID 1156 wrote to memory of 1724	1156	NEW_SHIP.exe	NEW_SHIP.exe

C:\Users\Admin\AppData\Local\Temp\NEW_SHIP.exe
"C:\Users\Admin\AppData\Local\Temp\NEW_SHIP.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\NEW_SHIP.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1156-54-0x0000000001050000-0x00000000010FE000-memory.dmp

Filesize
696KB

Download
memory/1156-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1156-56-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1156-57-0x0000000007EA0000-0x0000000007F10000-memory.dmp

Filesize
448KB

Download
memory/1724-58-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1724-59-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1724-61-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1724-63-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1724-65-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1724-67-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1724-68-0x000000000040FFEF-mapping.dmp

Download
memory/1724-70-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1724-71-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-75-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1724-76-0x0000000073D80000-0x000000007432B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-77-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-79-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-81-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-78-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-80-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-82-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-84-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-86-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-83-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-85-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-87-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-88-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-90-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-91-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-93-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-94-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-95-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-96-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-98-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-97-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-92-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-89-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-99-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-102-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-101-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-104-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-103-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-106-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-107-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-108-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-105-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-100-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-109-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-110-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-111-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-113-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-114-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-115-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-116-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-112-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-118-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-120-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-122-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-121-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-119-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-123-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download
memory/1724-117-0x0000000000470000-0x00000000004CC000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing