agenttesla | 0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909

General

Target

0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe
Size

696KB
MD5

2be3062f2532fe1cc25914a16a681603
SHA1

f1a0580ac3605fe98459a5cbef4e19a584818b6e
SHA256

0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909
SHA512

40c4aeeeab40c212d0a6ae3acfbed92e7032acffd86ffe0a0bf9a728a760bf4597bf5803db1f8e8cf0143d78f6e182a81b2c26565edaed9f4c6ff77efdb672ae
SSDEEP

12288:0P0R0MuixaBFnMf8FcDSA5B6Uh7S9RDSFgYCSZU+mYLOUQcaTPJSz2E/xEVKrkR:0sOMuLFQ3DnVWN6Z/Q3TPdqa

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.thanhancompony.com
Port:
587
Username:
[email protected]
Password:
aSkIhV^3
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs

resource	yara_rule
behavioral1/memory/2612-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2612-12-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2612-15-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2612-17-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2612-19-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs

resource	yara_rule
behavioral1/memory/2612-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2612-12-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2612-15-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2612-17-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2612-19-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs

resource	yara_rule
behavioral1/memory/2612-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2612-12-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2612-15-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2612-17-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2612-19-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral1/memory/2612-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2612-12-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2612-15-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2612-17-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2612-19-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral1/memory/2612-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2612-12-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2612-15-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2612-17-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2612-19-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral1/memory/2612-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2612-12-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2612-15-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2612-17-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2612-19-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 360 set thread context of 2612	360	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2612	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe
2612	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 360 wrote to memory of 2612	360	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	28
PID 360 wrote to memory of 2612	360	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	28
PID 360 wrote to memory of 2612	360	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	28
PID 360 wrote to memory of 2612	360	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	28
PID 360 wrote to memory of 2612	360	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	28
PID 360 wrote to memory of 2612	360	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	28
PID 360 wrote to memory of 2612	360	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	28
PID 360 wrote to memory of 2612	360	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	28
PID 360 wrote to memory of 2612	360	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	28

C:\Users\Admin\AppData\Local\Temp\0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe
"C:\Users\Admin\AppData\Local\Temp\0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:360
- C:\Users\Admin\AppData\Local\Temp\0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe
  "C:\Users\Admin\AppData\Local\Temp\0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/360-1-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/360-0-0x0000000000EF0000-0x0000000000FA0000-memory.dmp

Filesize
704KB

Download
memory/360-2-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download
memory/360-3-0x0000000000820000-0x0000000000840000-memory.dmp

Filesize
128KB

Download
memory/360-4-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/360-5-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/360-6-0x0000000004C80000-0x0000000004D02000-memory.dmp

Filesize
520KB

Download
memory/360-21-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2612-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-20-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-22-0x0000000000C20000-0x0000000000C60000-memory.dmp

Filesize
256KB

Download
memory/2612-23-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing