agenttesla | df6e5a970596d544e6f644924cafadda5a596e2337621ea98829bd36801fa02c

General

Target

AgentTesla.exe
Size

965KB
MD5

10888cbc0356d7ed153c9d646e650b67
SHA1

fe0d31a7ee4cae23de596186512c6af1310ead4c
SHA256

df6e5a970596d544e6f644924cafadda5a596e2337621ea98829bd36801fa02c
SHA512

a64b4b9e5525a6c609d1eac830a25d7d95e3ab9b6c9374130728bbdd8ddd492676cb8bb60d39139aadf18e8f7adf715d222b5596d7df601b8317cda78dc335c9

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	acprotect
C:\PROGRA~1\COMMON~1\System\symsrv.dll	acprotect
\Program Files\Common Files\System\symsrv.dll	acprotect

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2312-2-0x00000000005621E0-mapping.dmp	family_agenttesla
behavioral2/memory/2312-6-0x0000000000400000-0x0000000000564000-memory.dmp	family_agenttesla
behavioral2/memory/2312-7-0x0000000002AB0000-0x0000000002B5C000-memory.dmp	family_agenttesla

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	upx
behavioral2/memory/2312-1-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral2/memory/2312-3-0x0000000000400000-0x0000000000564000-memory.dmp	upx
C:\PROGRA~1\COMMON~1\System\symsrv.dll	upx
\Program Files\Common Files\System\symsrv.dll	upx
behavioral2/memory/2312-6-0x0000000000400000-0x0000000000564000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

AgentTesla.exeAgentTesla.exe

pid process

792 AgentTesla.exe
2312 AgentTesla.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

AgentTesla.exe

description pid process target process

PID 792 set thread context of 2312 792 AgentTesla.exe AgentTesla.exe
Drops file in Program Files directory 1 IoCs

Processes:

AgentTesla.exe

description ioc process

File created C:\Program Files\Common Files\System\symsrv.dll AgentTesla.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

AgentTesla.exeAgentTesla.exe

pid process

792 AgentTesla.exe
792 AgentTesla.exe
2312 AgentTesla.exe
2312 AgentTesla.exe
2312 AgentTesla.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

AgentTesla.exe

pid process

792 AgentTesla.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AgentTesla.exeAgentTesla.exe

description pid process

Token: SeDebugPrivilege 792 AgentTesla.exe
Token: SeDebugPrivilege 2312 AgentTesla.exe
Token: SeDebugPrivilege 2312 AgentTesla.exe

pid	process
792	AgentTesla.exe
2312	AgentTesla.exe

description	pid	process	target process
PID 792 set thread context of 2312	792	AgentTesla.exe	AgentTesla.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\symsrv.dll	AgentTesla.exe

pid	process
792	AgentTesla.exe
792	AgentTesla.exe
2312	AgentTesla.exe
2312	AgentTesla.exe
2312	AgentTesla.exe

pid	process
792	AgentTesla.exe

description	pid	process
Token: SeDebugPrivilege	792	AgentTesla.exe
Token: SeDebugPrivilege	2312	AgentTesla.exe
Token: SeDebugPrivilege	2312	AgentTesla.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

AgentTesla.exe

description	pid	process	target process
PID 792 wrote to memory of 2312	792	AgentTesla.exe	AgentTesla.exe
PID 792 wrote to memory of 2312	792	AgentTesla.exe	AgentTesla.exe
PID 792 wrote to memory of 2312	792	AgentTesla.exe	AgentTesla.exe

C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe
"C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe
"C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2312

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\COMMON~1\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/2312-1-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/2312-2-0x00000000005621E0-mapping.dmp

Download
memory/2312-3-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/2312-6-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/2312-7-0x0000000002AB0000-0x0000000002B5C000-memory.dmp

Filesize
688KB

Download
memory/2312-8-0x0000000002A32000-0x0000000002A33000-memory.dmp

Filesize
4KB

Download
memory/2312-9-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads