agenttesla | df6e5a970596d544e6f644924cafadda5a596e2337621ea98829bd36801fa02c

General

Target

AgentTesla.exe
Size

965KB
MD5

10888cbc0356d7ed153c9d646e650b67
SHA1

fe0d31a7ee4cae23de596186512c6af1310ead4c
SHA256

df6e5a970596d544e6f644924cafadda5a596e2337621ea98829bd36801fa02c
SHA512

a64b4b9e5525a6c609d1eac830a25d7d95e3ab9b6c9374130728bbdd8ddd492676cb8bb60d39139aadf18e8f7adf715d222b5596d7df601b8317cda78dc335c9

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000200000001ada1-0.dat	acprotect
behavioral2/files/0x000200000001ada1-4.dat	acprotect
behavioral2/files/0x000200000001ada1-5.dat	acprotect

AgentTesla Payload 3 IoCs

resource	yara_rule
behavioral2/memory/2312-2-0x00000000005621E0-mapping.dmp	family_agenttesla
behavioral2/memory/2312-6-0x0000000000400000-0x0000000000564000-memory.dmp	family_agenttesla
behavioral2/memory/2312-7-0x0000000002AB0000-0x0000000002B5C000-memory.dmp	family_agenttesla

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001ada1-0.dat	upx
behavioral2/memory/2312-1-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral2/memory/2312-3-0x0000000000400000-0x0000000000564000-memory.dmp	upx
behavioral2/files/0x000200000001ada1-4.dat	upx
behavioral2/files/0x000200000001ada1-5.dat	upx
behavioral2/memory/2312-6-0x0000000000400000-0x0000000000564000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
792	AgentTesla.exe
2312	AgentTesla.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 792 set thread context of 2312	792	AgentTesla.exe	66

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	AgentTesla.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
792	AgentTesla.exe
792	AgentTesla.exe
2312	AgentTesla.exe
2312	AgentTesla.exe
2312	AgentTesla.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
792	AgentTesla.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	792	AgentTesla.exe
Token: SeDebugPrivilege	2312	AgentTesla.exe
Token: SeDebugPrivilege	2312	AgentTesla.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 2312	792	AgentTesla.exe	66
PID 792 wrote to memory of 2312	792	AgentTesla.exe	66
PID 792 wrote to memory of 2312	792	AgentTesla.exe	66

C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe
"C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe
  "C:\Users\Admin\AppData\Local\Temp\AgentTesla.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2312-1-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/2312-3-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/2312-6-0x0000000000400000-0x0000000000564000-memory.dmp

Filesize
1.4MB

Download
memory/2312-7-0x0000000002AB0000-0x0000000002B5C000-memory.dmp

Filesize
688KB

Download
memory/2312-8-0x0000000002A32000-0x0000000002A33000-memory.dmp

Filesize
4KB

Download
memory/2312-9-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing