agenttesla | 944ea69a7adfffb602bdac56556138efc104f6ebeaa6bc9161eac4551ea8fb16

General

Target

roomitinerary .cmd.exe
Size

5.0MB
MD5

447a03ebc9cf49088d63a74a3f8f62cd
SHA1

70a68bdf6ccde6b60604d923043893448ac44f02
SHA256

944ea69a7adfffb602bdac56556138efc104f6ebeaa6bc9161eac4551ea8fb16
SHA512

1857b6e4e3eb966850e5d1446bf9657c4f833bf85ef0d68a22bc82042fceac4c09ae0fb44fad27e412e22130fa1468ee32b15287e8cbb5b24dab37ba5c38e963

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

roomitinerary .cmd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\roomitinerary .cmd.exe\""	roomitinerary .cmd.exe

AgentTesla Payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1068-5-0x0000000000660000-0x0000000000739000-memory.dmp	family_agenttesla
behavioral1/memory/1068-6-0x0000000004650000-0x000000000471D000-memory.dmp	family_agenttesla
behavioral1/memory/1068-8-0x00000000009F0000-0x0000000000AA5000-memory.dmp	family_agenttesla
behavioral1/memory/1068-9-0x00000000083B0000-0x000000000845A000-memory.dmp	family_agenttesla
behavioral1/memory/1068-7-0x0000000006030000-0x00000000060F1000-memory.dmp	family_agenttesla
behavioral1/memory/1068-11-0x00000000085A0000-0x0000000008633000-memory.dmp	family_agenttesla
behavioral1/memory/1068-10-0x0000000008500000-0x000000000859F000-memory.dmp	family_agenttesla
behavioral1/memory/1068-12-0x0000000008640000-0x00000000086C8000-memory.dmp	family_agenttesla
behavioral1/memory/1068-13-0x00000000005D0000-0x000000000064D000-memory.dmp	family_agenttesla
behavioral1/memory/1068-14-0x00000000086D0000-0x0000000008742000-memory.dmp	family_agenttesla
behavioral1/memory/1068-15-0x0000000006100000-0x0000000006136000-memory.dmp	family_agenttesla

Drops startup file 2 IoCs

Processes:

roomitinerary .cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\roomitinerary .cmd.exe	roomitinerary .cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\roomitinerary .cmd.exe	roomitinerary .cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

roomitinerary .cmd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\roomitinerary .cmd.exe"	roomitinerary .cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\roomitinerary .cmd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\roomitinerary .cmd.exe"	roomitinerary .cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\CZVkY = "C:\\Users\\Admin\\AppData\\Roaming\\CZVkY\\CZVkY.exe"	roomitinerary .cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

roomitinerary .cmd.exe

pid process

1068 roomitinerary .cmd.exe
1068 roomitinerary .cmd.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

roomitinerary .cmd.exe

pid process

1068 roomitinerary .cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

roomitinerary .cmd.exe

description pid process

Token: SeDebugPrivilege 1068 roomitinerary .cmd.exe

pid	process
1068	roomitinerary .cmd.exe
1068	roomitinerary .cmd.exe

pid	process
1068	roomitinerary .cmd.exe

description	pid	process
Token: SeDebugPrivilege	1068	roomitinerary .cmd.exe

C:\Users\Admin\AppData\Local\Temp\roomitinerary .cmd.exe
"C:\Users\Admin\AppData\Local\Temp\roomitinerary .cmd.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1068

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-2-0x0000000074EE0000-0x00000000755CE000-memory.dmp

Filesize
6.9MB

Download
memory/1068-3-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/1068-5-0x0000000000660000-0x0000000000739000-memory.dmp

Filesize
868KB

Download
memory/1068-6-0x0000000004650000-0x000000000471D000-memory.dmp

Filesize
820KB

Download
memory/1068-8-0x00000000009F0000-0x0000000000AA5000-memory.dmp

Filesize
724KB

Download
memory/1068-9-0x00000000083B0000-0x000000000845A000-memory.dmp

Filesize
680KB

Download
memory/1068-7-0x0000000006030000-0x00000000060F1000-memory.dmp

Filesize
772KB

Download
memory/1068-11-0x00000000085A0000-0x0000000008633000-memory.dmp

Filesize
588KB

Download
memory/1068-10-0x0000000008500000-0x000000000859F000-memory.dmp

Filesize
636KB

Download
memory/1068-12-0x0000000008640000-0x00000000086C8000-memory.dmp

Filesize
544KB

Download
memory/1068-13-0x00000000005D0000-0x000000000064D000-memory.dmp

Filesize
500KB

Download
memory/1068-14-0x00000000086D0000-0x0000000008742000-memory.dmp

Filesize
456KB

Download
memory/1068-15-0x0000000006100000-0x0000000006136000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads