agenttesla | 0744c3eb29101e4278a482fb2a9cc9e43f05bd33ceab82a44a32d4e71c414922

General

Target

FT23194060101821_faraday-products.exe
Size

822KB
MD5

fda03781991594e3250907f86ef14bfb
SHA1

3b4b62dd08f9a26ba701773129cac0bc97273edf
SHA256

0744c3eb29101e4278a482fb2a9cc9e43f05bd33ceab82a44a32d4e71c414922
SHA512

93360ebc9f0bd93c1b4e978fc15324d06bb60e61f47baaccc70a31942226e7b825974137faddae24f4da81b9ddf35bdea0f2fdb7d6d3463a0c6e96aa804cede3
SSDEEP

12288:rGIoafntxHipXHf6IfQBfbY+xTvxnPXBlo1i4NZL9YNJCpi:0aftxxWYz7jxs1i4NV9YNEpi

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.mayaklogistic.ru
Port:
587
Username:
[email protected]
Password:
Tommy8118
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

FT23194060101821_faraday-products.exe

description pid process target process

PID 1948 set thread context of 2912 1948 FT23194060101821_faraday-products.exe FT23194060101821_faraday-products.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2888 schtasks.exe

description	pid	process	target process
PID 1948 set thread context of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe

pid	process
2888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

FT23194060101821_faraday-products.exeFT23194060101821_faraday-products.exepowershell.exepowershell.exe

pid	process
1948	FT23194060101821_faraday-products.exe
1948	FT23194060101821_faraday-products.exe
1948	FT23194060101821_faraday-products.exe
1948	FT23194060101821_faraday-products.exe
1948	FT23194060101821_faraday-products.exe
1948	FT23194060101821_faraday-products.exe
2912	FT23194060101821_faraday-products.exe
2912	FT23194060101821_faraday-products.exe
2692	powershell.exe
1992	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

FT23194060101821_faraday-products.exeFT23194060101821_faraday-products.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1948	FT23194060101821_faraday-products.exe
Token: SeDebugPrivilege	2912	FT23194060101821_faraday-products.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

FT23194060101821_faraday-products.exe

C:\Users\Admin\AppData\Local\Temp\FT23194060101821_faraday-products.exe
"C:\Users\Admin\AppData\Local\Temp\FT23194060101821_faraday-products.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FT23194060101821_faraday-products.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XCBjbbSIWrXH.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XCBjbbSIWrXH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC14.tmp"
2⤵
- Creates scheduled task(s)
PID:2888

C:\Users\Admin\AppData\Local\Temp\FT23194060101821_faraday-products.exe
"C:\Users\Admin\AppData\Local\Temp\FT23194060101821_faraday-products.exe"
2⤵
PID:2864

C:\Users\Admin\AppData\Local\Temp\FT23194060101821_faraday-products.exe
"C:\Users\Admin\AppData\Local\Temp\FT23194060101821_faraday-products.exe"
2⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\FT23194060101821_faraday-products.exe
"C:\Users\Admin\AppData\Local\Temp\FT23194060101821_faraday-products.exe"
2⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\FT23194060101821_faraday-products.exe
"C:\Users\Admin\AppData\Local\Temp\FT23194060101821_faraday-products.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEC14.tmp

Filesize
1KB

MD5
400995005a1c2535df9620de25ff1fcc

SHA1
00ba2a93b8c88f288c10ec4c978c49ed2404050c

SHA256
65442ddf0ee0e57920d952d60a462f2702c63c4a64f850bd2fe90fd4a9b61584

SHA512
d786c9c15ed018ffdb622d16f91a6b7344052ed6f4fa2ca2fe761f054d6d0b3c53c97e7d385dacf6929d846dcaa5bb2a5a2107cf2023c5fc724be409f7da1816

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DEGLPQICAKGB3WPG1HUD.temp

Filesize
7KB

MD5
0cb5e785586d6f8729f4ccd7febe42ac

SHA1
6dfafe6203dcc54b84fd5702e67cd5821893c9be

SHA256
6085ca48ae79c4a8f149cf61867e253512a99e62d82c5ee4cf0e8ce5e1ace87f

SHA512
81cc0f34874d4db4b3e0a5cd32d706ca1b6ea08d681e87debdb9cc4e17069147e4e9f98536d3d7e3e8342d851b6ca0a2fb65e9ceadb27d3d82634d17f975c0a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0cb5e785586d6f8729f4ccd7febe42ac

SHA1
6dfafe6203dcc54b84fd5702e67cd5821893c9be

SHA256
6085ca48ae79c4a8f149cf61867e253512a99e62d82c5ee4cf0e8ce5e1ace87f

SHA512
81cc0f34874d4db4b3e0a5cd32d706ca1b6ea08d681e87debdb9cc4e17069147e4e9f98536d3d7e3e8342d851b6ca0a2fb65e9ceadb27d3d82634d17f975c0a7

Download Submit
memory/1948-3-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/1948-4-0x00000000055B0000-0x000000000562A000-memory.dmp

Filesize
488KB

Download
memory/1948-2-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/1948-1-0x0000000000340000-0x0000000000356000-memory.dmp

Filesize
88KB

Download
memory/1948-0-0x0000000000230000-0x0000000000304000-memory.dmp

Filesize
848KB

Download
memory/1992-32-0x000000006E120000-0x000000006E6CB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-31-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/1992-29-0x000000006E120000-0x000000006E6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2692-28-0x000000006E120000-0x000000006E6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2692-33-0x000000006E120000-0x000000006E6CB000-memory.dmp

Filesize
5.7MB

Download
memory/2692-30-0x0000000000350000-0x0000000000390000-memory.dmp

Filesize
256KB

Download
memory/2912-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2912-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2912-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

description	pid	process	target process
PID 1948 wrote to memory of 1992	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 1992	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 1992	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 1992	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 1992	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 1992	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 1992	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 2692	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 2692	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 2692	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 2692	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 2692	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 2692	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 2692	1948	FT23194060101821_faraday-products.exe	powershell.exe
PID 1948 wrote to memory of 2888	1948	FT23194060101821_faraday-products.exe	schtasks.exe
PID 1948 wrote to memory of 2888	1948	FT23194060101821_faraday-products.exe	schtasks.exe
PID 1948 wrote to memory of 2888	1948	FT23194060101821_faraday-products.exe	schtasks.exe
PID 1948 wrote to memory of 2888	1948	FT23194060101821_faraday-products.exe	schtasks.exe
PID 1948 wrote to memory of 2888	1948	FT23194060101821_faraday-products.exe	schtasks.exe
PID 1948 wrote to memory of 2888	1948	FT23194060101821_faraday-products.exe	schtasks.exe
PID 1948 wrote to memory of 2888	1948	FT23194060101821_faraday-products.exe	schtasks.exe
PID 1948 wrote to memory of 2864	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2864	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2864	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2864	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2864	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2864	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2864	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2904	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2904	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2904	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2904	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2904	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2904	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2904	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2720	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2720	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2720	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2720	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2720	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2720	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2720	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe
PID 1948 wrote to memory of 2912	1948	FT23194060101821_faraday-products.exe	FT23194060101821_faraday-products.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads