agenttesla | 01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8

General

Target

01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe
Size

403KB
MD5

c081e925d1f5ffa3057680b76e354141
SHA1

fe2a4b9d382fffe418d34d101785ce7a787c6aa0
SHA256

01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8
SHA512

14c554c4c2bccb5ce9299f4cbdf1bd1fd318d4e37ad77cbbf765ae04b539a896c33050c399cc0357ac74e3893a54805d5b2ceffbf5bc32ae4ecdb6b80b6ed6ae
SSDEEP

12288:D94/XlCUvQt1apQ7ERtLJ7N/vMmbCH/a9:DO5vzpvLJ7N3vCHS9

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.siscop.com.co
Port:
21
Username:
[email protected]
Password:
+5s48Ia2&-(t

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

iqqsmqf.exeiqqsmqf.exe

pid process

2696 iqqsmqf.exe
5020 iqqsmqf.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

iqqsmqf.exe

description pid process target process

PID 2696 set thread context of 5020 2696 iqqsmqf.exe iqqsmqf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

iqqsmqf.exe

pid process

5020 iqqsmqf.exe
5020 iqqsmqf.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

iqqsmqf.exe

pid process

2696 iqqsmqf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

iqqsmqf.exe

description pid process

Token: SeDebugPrivilege 5020 iqqsmqf.exe

pid	process
2696	iqqsmqf.exe
5020	iqqsmqf.exe

description	pid	process	target process
PID 2696 set thread context of 5020	2696	iqqsmqf.exe	iqqsmqf.exe

pid	process
5020	iqqsmqf.exe
5020	iqqsmqf.exe

pid	process
2696	iqqsmqf.exe

description	pid	process
Token: SeDebugPrivilege	5020	iqqsmqf.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exeiqqsmqf.exe

description	pid	process	target process
PID 4944 wrote to memory of 2696	4944	01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe	iqqsmqf.exe
PID 4944 wrote to memory of 2696	4944	01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe	iqqsmqf.exe
PID 4944 wrote to memory of 2696	4944	01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe	iqqsmqf.exe
PID 2696 wrote to memory of 5020	2696	iqqsmqf.exe	iqqsmqf.exe
PID 2696 wrote to memory of 5020	2696	iqqsmqf.exe	iqqsmqf.exe
PID 2696 wrote to memory of 5020	2696	iqqsmqf.exe	iqqsmqf.exe
PID 2696 wrote to memory of 5020	2696	iqqsmqf.exe	iqqsmqf.exe

C:\Users\Admin\AppData\Local\Temp\01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe
"C:\Users\Admin\AppData\Local\Temp\01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe
"C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe
"C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe

Filesize
165KB

MD5
9bfe9255e6c071d5085cb8fe04470d4d

SHA1
8bbdac8c049f4c0ca91f54b68a845c53cd4c1169

SHA256
842c0f3848a212cdb1ee71bb2a0922fea7f0ee1b9a27abbe7848954685d2fd1e

SHA512
e416fc348e088085b794fc798dcbe60f34537aac957853e39b838dca5693a4ad1046a5e4e56dee5e833cab564f83e4fe90874cb69a43a55995feb4b5862f2b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe

Filesize
165KB

MD5
9bfe9255e6c071d5085cb8fe04470d4d

SHA1
8bbdac8c049f4c0ca91f54b68a845c53cd4c1169

SHA256
842c0f3848a212cdb1ee71bb2a0922fea7f0ee1b9a27abbe7848954685d2fd1e

SHA512
e416fc348e088085b794fc798dcbe60f34537aac957853e39b838dca5693a4ad1046a5e4e56dee5e833cab564f83e4fe90874cb69a43a55995feb4b5862f2b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe

Filesize
165KB

MD5
9bfe9255e6c071d5085cb8fe04470d4d

SHA1
8bbdac8c049f4c0ca91f54b68a845c53cd4c1169

SHA256
842c0f3848a212cdb1ee71bb2a0922fea7f0ee1b9a27abbe7848954685d2fd1e

SHA512
e416fc348e088085b794fc798dcbe60f34537aac957853e39b838dca5693a4ad1046a5e4e56dee5e833cab564f83e4fe90874cb69a43a55995feb4b5862f2b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtlzwvurz.k

Filesize
333KB

MD5
6b1c08140286d7333b668a0d387dfeb0

SHA1
46f2b3da75af49e6daede57d362102564c6c525d

SHA256
45e0101d414ac7f6378f1f39e63a1907aa1c1c7d8d74dea58ed9b3d54dad9644

SHA512
80d130300da51896d920b9bb17168d3a84d66c517c7523084c1727aed12199602a2d37702aedf2b529af6ccfd4da7d9d03602a988be0d54abf94d58c9f73596a

Download Submit
memory/2696-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2696-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5020-14-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/5020-18-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/5020-11-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5020-12-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5020-13-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/5020-15-0x0000000004910000-0x0000000004952000-memory.dmp

Filesize
264KB

Download
memory/5020-7-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5020-16-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/5020-17-0x00000000049B0000-0x0000000004F54000-memory.dmp

Filesize
5.6MB

Download
memory/5020-9-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5020-19-0x0000000005110000-0x0000000005176000-memory.dmp

Filesize
408KB

Download
memory/5020-20-0x00000000056F0000-0x0000000005740000-memory.dmp

Filesize
320KB

Download
memory/5020-21-0x0000000005740000-0x00000000057DC000-memory.dmp

Filesize
624KB

Download
memory/5020-22-0x0000000005E40000-0x0000000005ED2000-memory.dmp

Filesize
584KB

Download
memory/5020-23-0x0000000006050000-0x000000000605A000-memory.dmp

Filesize
40KB

Download
memory/5020-25-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/5020-26-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/5020-28-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/5020-29-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing