agenttesla | 6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4

General

Target

6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4.exe
Size

237KB
MD5

5577880f4c017d44278467b02d6b5d8b
SHA1

ff9330d4c990e4c448b25f9d633ccd5e136ded0c
SHA256

6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4
SHA512

a86d231874fbe21a848d6f4562da93cb60eb3106b5a44ad8892c9acf6f644569c301dfcab180f8527c9d7f8ed59ef43d46303de9750988b0873b16063ed5206a
SSDEEP

3072:6xqxxxRxUcESOT9Tujj9tKUk5PMI1cSkp:6sxxxRxUcESOxTujjyUG1Lk

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
j^JjgEi0
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1888-0-0x00000000012B0000-0x00000000012F2000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/1888-2-0x0000000004940000-0x0000000004980000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1888-0-0x00000000012B0000-0x00000000012F2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/1888-2-0x0000000004940000-0x0000000004980000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1888-0-0x00000000012B0000-0x00000000012F2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/1888-2-0x0000000004940000-0x0000000004980000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1888-0-0x00000000012B0000-0x00000000012F2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/1888-2-0x0000000004940000-0x0000000004980000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1888-0-0x00000000012B0000-0x00000000012F2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1888-2-0x0000000004940000-0x0000000004980000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1888-0-0x00000000012B0000-0x00000000012F2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/1888-2-0x0000000004940000-0x0000000004980000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4.exe

pid	process
1888	6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4.exe
1888	6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4.exe

description pid process

Token: SeDebugPrivilege 1888 6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4.exe

description	pid	process
Token: SeDebugPrivilege	1888	6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4.exe

C:\Users\Admin\AppData\Local\Temp\6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4.exe
"C:\Users\Admin\AppData\Local\Temp\6d4bdc02d59648f0a0364bfb9a6463e8694189c4f5ef7a2421bed4a53e0feed4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1888-0-0x00000000012B0000-0x00000000012F2000-memory.dmp

Filesize
264KB

Download
memory/1888-1-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-2-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download
memory/1888-3-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/1888-4-0x0000000004940000-0x0000000004980000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads