agenttesla | ea048a5efa33488ae01d42eaf70a02ff13f18353fd90cf37c1f741126c4bf7e9

General

Target

Commercial InvoiceContract#08BR19-20.exe
Size

346KB
MD5

1015b6ac7933ac770c115db33f6a5b5b
SHA1

0e7f032f39d5e50e0303cf51b65d593275e0a6a0
SHA256

6188651c5b4b883766439245dbe8b6b5575f8dc4f861eec3a3238d0ee7093f48
SHA512

041602df2a0e2f2b9dac4d34e4674403be2594aa4400051cdc2c0445912270b4d2fe1fbc4df8c12c3876b13acf6a03fba35a905ec9bc74c755766aa2a87b0f84
SSDEEP

6144:7E9//cB1JOTZBy9NvXkgHtoHqUUZ2Nd9avqa5FsPZc4h29MpzMr8w7xgFEycmC:71B10TANcgNyqKDpa5FOO4g9MWrf7xgI

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.fcc.com.sa
Port:
587
Username:
[email protected]
Password:
In123123

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2704-9-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2704-15-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2704-19-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2704-17-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2704-11-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Commercial InvoiceContract#08BR19-20.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Commercial InvoiceContract#08BR19-20.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Commercial InvoiceContract#08BR19-20.exe
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Commercial InvoiceContract#08BR19-20.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Commercial InvoiceContract#08BR19-20.exe

description	pid	process	target process
PID 2380 set thread context of 2704	2380	Commercial InvoiceContract#08BR19-20.exe	Commercial InvoiceContract#08BR19-20.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Commercial InvoiceContract#08BR19-20.exe

pid process

2704 Commercial InvoiceContract#08BR19-20.exe
2704 Commercial InvoiceContract#08BR19-20.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Commercial InvoiceContract#08BR19-20.exe

description pid process

Token: SeDebugPrivilege 2704 Commercial InvoiceContract#08BR19-20.exe

pid	process
2704	Commercial InvoiceContract#08BR19-20.exe
2704	Commercial InvoiceContract#08BR19-20.exe

description	pid	process
Token: SeDebugPrivilege	2704	Commercial InvoiceContract#08BR19-20.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Commercial InvoiceContract#08BR19-20.exe

description	pid	process	target process
PID 2380 wrote to memory of 2704	2380	Commercial InvoiceContract#08BR19-20.exe	Commercial InvoiceContract#08BR19-20.exe
PID 2380 wrote to memory of 2704	2380	Commercial InvoiceContract#08BR19-20.exe	Commercial InvoiceContract#08BR19-20.exe
PID 2380 wrote to memory of 2704	2380	Commercial InvoiceContract#08BR19-20.exe	Commercial InvoiceContract#08BR19-20.exe
PID 2380 wrote to memory of 2704	2380	Commercial InvoiceContract#08BR19-20.exe	Commercial InvoiceContract#08BR19-20.exe
PID 2380 wrote to memory of 2704	2380	Commercial InvoiceContract#08BR19-20.exe	Commercial InvoiceContract#08BR19-20.exe
PID 2380 wrote to memory of 2704	2380	Commercial InvoiceContract#08BR19-20.exe	Commercial InvoiceContract#08BR19-20.exe
PID 2380 wrote to memory of 2704	2380	Commercial InvoiceContract#08BR19-20.exe	Commercial InvoiceContract#08BR19-20.exe
PID 2380 wrote to memory of 2704	2380	Commercial InvoiceContract#08BR19-20.exe	Commercial InvoiceContract#08BR19-20.exe
PID 2380 wrote to memory of 2704	2380	Commercial InvoiceContract#08BR19-20.exe	Commercial InvoiceContract#08BR19-20.exe

outlook_office_path 1 IoCs

Processes:

Commercial InvoiceContract#08BR19-20.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Commercial InvoiceContract#08BR19-20.exe

outlook_win_path 1 IoCs

Processes:

Commercial InvoiceContract#08BR19-20.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Commercial InvoiceContract#08BR19-20.exe

C:\Users\Admin\AppData\Local\Temp\Commercial InvoiceContract#08BR19-20.exe
"C:\Users\Admin\AppData\Local\Temp\Commercial InvoiceContract#08BR19-20.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\Commercial InvoiceContract#08BR19-20.exe
  "{path}"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2380-0-0x00000000749F1000-0x00000000749F2000-memory.dmp

Filesize
4KB

Download
memory/2380-1-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-2-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-3-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-4-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-23-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-19-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2704-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2704-9-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2704-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2704-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2704-11-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2704-20-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2704-21-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-22-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2704-24-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download
memory/2704-25-0x00000000749F0000-0x0000000074F9B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads