agenttesla | ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86

General

Target

ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
Size

631KB
MD5

ed4b8e965a5e8a2b185f38a2dc7b5c1b
SHA1

4f9a24c87e5cea08769b8ba5559c755f9a8749e6
SHA256

ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86
SHA512

60c0518c3c6436889bee9dcf1cb11db8cbfbc2ca37aea8a245c1ba18537e079ed92a99a746d6a370d315daf6d7204ea7985a86da6bc827421cdc54fdf1ffe055
SSDEEP

12288:j45+po2oQpPwiViAQZb9EuQlbmtDaB6x/rQj0fBcuCA1YDL4o:i+pJhpPwT1ZZEuQlatDaIx/rQscuDWN

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1179358691389087754/yHthw4-13k_nboZGWySep8nLvTdwO_hiLUgjd1s52EzGArYfNy0GTqcuv8MADYaMkJvH

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe

description	pid	process	target process
PID 1164 set thread context of 4160	1164	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

544 4160 WerFault.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe

pid	pid_target	process	target process
544	4160	WerFault.exe	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe

pid	process
4160	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
4160	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe

description pid process

Token: SeDebugPrivilege 4160 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe

description	pid	process
Token: SeDebugPrivilege	4160	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe

description	pid	process	target process
PID 1164 wrote to memory of 4160	1164	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
PID 1164 wrote to memory of 4160	1164	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
PID 1164 wrote to memory of 4160	1164	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
PID 1164 wrote to memory of 4160	1164	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
PID 1164 wrote to memory of 4160	1164	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
PID 1164 wrote to memory of 4160	1164	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
PID 1164 wrote to memory of 4160	1164	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
PID 1164 wrote to memory of 4160	1164	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe	ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe

C:\Users\Admin\AppData\Local\Temp\ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
"C:\Users\Admin\AppData\Local\Temp\ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
"C:\Users\Admin\AppData\Local\Temp\ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 1836
3⤵
- Program crash
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4160 -ip 4160
1⤵
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe.log

Filesize
2KB

MD5
93d52c1bc7c38d958583ebbd3dc09cd4

SHA1
4c5ee6f9c9ae190c9a0cccb91fa2257ddcb8b0d5

SHA256
2905f3a06dd8907ddbcbe64389cffcc8a5273d1822e25f8bea385bdd01653c76

SHA512
dfc55c3247d7734c5a531fb5a3de689e8bb823e82c14ad6cab16923d50d51e03e5e86165a7d65b3059a66b67968b611368b010a6d9f755916b01ef7b67c5228e

Download Submit
memory/1164-4-0x00000000056E0000-0x0000000005772000-memory.dmp

Filesize
584KB

Download
memory/1164-3-0x0000000005D40000-0x00000000062E4000-memory.dmp

Filesize
5.6MB

Download
memory/1164-10-0x0000000006970000-0x0000000006A0C000-memory.dmp

Filesize
624KB

Download
memory/1164-9-0x0000000008040000-0x00000000080BC000-memory.dmp

Filesize
496KB

Download
memory/1164-5-0x0000000005D10000-0x0000000005D1A000-memory.dmp

Filesize
40KB

Download
memory/1164-6-0x0000000005D20000-0x0000000005D38000-memory.dmp

Filesize
96KB

Download
memory/1164-7-0x0000000006850000-0x0000000006858000-memory.dmp

Filesize
32KB

Download
memory/1164-8-0x0000000006860000-0x000000000686A000-memory.dmp

Filesize
40KB

Download
memory/1164-14-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1164-2-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/1164-1-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/1164-0-0x0000000000BE0000-0x0000000000C84000-memory.dmp

Filesize
656KB

Download
memory/4160-19-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/4160-15-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/4160-17-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/4160-16-0x0000000005320000-0x0000000005330000-memory.dmp

Filesize
64KB

Download
memory/4160-18-0x0000000006380000-0x00000000063D0000-memory.dmp

Filesize
320KB

Download
memory/4160-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads