agenttesla | b9df96522a30d05a026ab8874eef5ddae02042585e4cc5773909838250cf2635

General

Target

HTMY-209871640.exe
Size

715KB
MD5

5dc2b29720ea5d6823f6f2a11308a1f1
SHA1

e282164e13cbffb1da812b8dd12ae9c4cb91eac3
SHA256

b9df96522a30d05a026ab8874eef5ddae02042585e4cc5773909838250cf2635
SHA512

f0bba09345fdb6f134d653554b90f48641d16a0baf4944e66ff852e6286f2ca371c8b3649b893edbfa4b37adcba936d295a0b0ea74f66f5ad05773b6b89dc674

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2036-11-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

nzsuvx.exe8s0sa49elb2.exe

pid process

1640 nzsuvx.exe
2036 8s0sa49elb2.exe
Loads dropped DLL 1 IoCs

Processes:

HTMY-209871640.exe

pid process

3160 HTMY-209871640.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

nzsuvx.exe

description pid process target process

PID 1640 set thread context of 2036 1640 nzsuvx.exe 8s0sa49elb2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3160	HTMY-209871640.exe

description	pid	process	target process
PID 1640 set thread context of 2036	1640	nzsuvx.exe	8s0sa49elb2.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

nzsuvx.exe8s0sa49elb2.exe

pid	process
1640	nzsuvx.exe
1640	nzsuvx.exe
1640	nzsuvx.exe
1640	nzsuvx.exe
1640	nzsuvx.exe
1640	nzsuvx.exe
1640	nzsuvx.exe
1640	nzsuvx.exe
2036	8s0sa49elb2.exe
2036	8s0sa49elb2.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

nzsuvx.exe

pid process

1640 nzsuvx.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8s0sa49elb2.exe

description pid process

Token: SeDebugPrivilege 2036 8s0sa49elb2.exe

description	pid	process
Token: SeDebugPrivilege	2036	8s0sa49elb2.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

HTMY-209871640.exenzsuvx.exe

description	pid	process	target process
PID 3160 wrote to memory of 1640	3160	HTMY-209871640.exe	nzsuvx.exe
PID 3160 wrote to memory of 1640	3160	HTMY-209871640.exe	nzsuvx.exe
PID 3160 wrote to memory of 1640	3160	HTMY-209871640.exe	nzsuvx.exe
PID 1640 wrote to memory of 2036	1640	nzsuvx.exe	8s0sa49elb2.exe
PID 1640 wrote to memory of 2036	1640	nzsuvx.exe	8s0sa49elb2.exe
PID 1640 wrote to memory of 2036	1640	nzsuvx.exe	8s0sa49elb2.exe
PID 1640 wrote to memory of 2036	1640	nzsuvx.exe	8s0sa49elb2.exe

C:\Users\Admin\AppData\Local\Temp\HTMY-209871640.exe
"C:\Users\Admin\AppData\Local\Temp\HTMY-209871640.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\Nla\nzsuvx.exe
C:\Users\Admin\AppData\Local\Temp\Nla\nzsuvx.exe C:\Users\Admin\AppData\Local\Temp\Nla\oylomfj.osa
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\Nla\8s0sa49elb2.exe
C:\Users\Admin\AppData\Local\Temp\Nla\nzsuvx.exe C:\Users\Admin\AppData\Local\Temp\Nla\oylomfj.osa
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nla\8s0sa49elb2.exe
MD5
221567466782aa578f0dab4523f17eb3

SHA1
e55e0798ff6e861bb1f9fabeaa293ef2e799515e

SHA256
9d10d8583c2282e85c33a619455bf7254edd11c86bf6e772e7c20254f155b462

SHA512
1c34144e7c53e28cf26c43a2f876d83a99cf6481f8523c86e06af35e1287fab23165d25c26fc2772c40a79274d92edd40865591de408a66467703a0c87b1ae9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\ijbfzlthiv.jp
MD5
9a6b9734f77abff52dd059bd307d567c

SHA1
63c2ce33958afb54fee604b11631e01af4e14d7f

SHA256
9e47afb5842b87d2554d7cea1a2fef948612e64dae5e7d80dc0199db35c6feeb

SHA512
a4d4eb844d296820c7b6aef7c1f473820aaecc7906164e03ae8c5576fcf78b293443be1f7518f99cdb28de33b968bc510bf71bb69015a33782d0290737764c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\nzsuvx.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\nzsuvx.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\oylomfj.osa
MD5
181fdd7a69005b39ad831dbbbd224b05

SHA1
a9bfac6c503d75b4da366b280e697b1375383fd5

SHA256
421427ae4a25044dfcf0090733775b46d8dead036be67488a05c6e89805fc3cf

SHA512
6abaed11ce67c0c992bc7ea6bc9ddb9c852b24e12cad9fe03180bd2848c2e5349e1e0368698e4d7fcdeeba2defe177195a1dd08b36bf2107f9a11edf0ee871fd

Download Submit
\Users\Admin\AppData\Local\Temp\nsw31B6.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/1640-2-0x0000000000000000-mapping.dmp

Download
memory/1640-10-0x0000000004B30000-0x0000000004B32000-memory.dmp

Filesize
8KB

Download
memory/2036-11-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2036-12-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/2036-7-0x000000000040188B-mapping.dmp

Download
memory/2036-13-0x0000000002431000-0x0000000002432000-memory.dmp

Filesize
4KB

Download
memory/2036-14-0x0000000002432000-0x0000000002434000-memory.dmp

Filesize
8KB

Download
memory/2036-15-0x0000000002437000-0x0000000002438000-memory.dmp

Filesize
4KB

Download
memory/2036-16-0x0000000002438000-0x0000000002439000-memory.dmp

Filesize
4KB

Download
memory/2036-17-0x000000000243D000-0x000000000243F000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads