agenttesla | d4f365f9895e6d8dc8975922386052ec3727a9f24ff147559f54d529e447c0b4

General

Target

New Order.exe
Size

389KB
MD5

971b524b2a3ae1adf97deb2456c8a15e
SHA1

355a9fae7eb5042e02680d4d9138f55681e3d203
SHA256

d4f365f9895e6d8dc8975922386052ec3727a9f24ff147559f54d529e447c0b4
SHA512

63b8f28d66acef1168167a2b6788530524d79dfaa519c0de0284c8aad62b967a3b5ffc8148531d451cf2c3ee0b9668d3674bec0d86c9296719d605c586c3314a

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Order.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	New Order.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	New Order.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

New Order.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	New Order.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	New Order.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

340 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

New Order.exe

pid process

1124 New Order.exe
1124 New Order.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

New Order.exe

description pid process

Token: SeDebugPrivilege 1124 New Order.exe

pid	process
340	schtasks.exe

pid	process
1124	New Order.exe
1124	New Order.exe

description	pid	process
Token: SeDebugPrivilege	1124	New Order.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

New Order.exe

description	pid	process	target process
PID 1124 wrote to memory of 340	1124	New Order.exe	schtasks.exe
PID 1124 wrote to memory of 340	1124	New Order.exe	schtasks.exe
PID 1124 wrote to memory of 340	1124	New Order.exe	schtasks.exe
PID 1124 wrote to memory of 340	1124	New Order.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wRyCQByggAE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8610.tmp"
2⤵
- Creates scheduled task(s)
PID:340

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8610.tmp
MD5
cea23ac73b4222fef28968d51a87b28b

SHA1
aeb6e61d21b8f95ccd988e919a9a1c0220a8883e

SHA256
c38b3334b3297bfa9d77b5a0593a60085c3e79cf65cd113b0357f26a8fbcd87a

SHA512
63a333a7b3774730b2a714725368e0cae43d2bc63faa670257a665e38f7312a4b1d74e9eb44eb8d6f55837261d3f5115783ee629a18ce21110f2614906b63326

Download Submit
memory/340-2-0x0000000000000000-mapping.dmp

Download
memory/1124-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads