agenttesla | 263ef0b82b77fd9aa3c5e6b8811aab7798c28126e13b9561f45bfec1e4df61a3

General

Target

PO13132021.exe
Size

708KB
MD5

fdf61d93bd142badc9cec0773400f9de
SHA1

dc3aed7314d960d7d2fb89b58cb8e13510b93aa2
SHA256

263ef0b82b77fd9aa3c5e6b8811aab7798c28126e13b9561f45bfec1e4df61a3
SHA512

8b3e86b5c80b085827d6a052b9dea7c6db99e8bd98bb2ee1e421fdbf85120a6d14e1d26226335e33e78c26ecc7860e20b5b55aa1647cafdb149226c3aeb6285a

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2720-10-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

drrcplezq.exec2q7vx43b9rpk.exe

pid process

2300 drrcplezq.exe
2720 c2q7vx43b9rpk.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

drrcplezq.exe

description pid process target process

PID 2300 set thread context of 2720 2300 drrcplezq.exe c2q7vx43b9rpk.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2300 set thread context of 2720	2300	drrcplezq.exe	c2q7vx43b9rpk.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

drrcplezq.exec2q7vx43b9rpk.exe

pid	process
2300	drrcplezq.exe
2300	drrcplezq.exe
2300	drrcplezq.exe
2300	drrcplezq.exe
2300	drrcplezq.exe
2300	drrcplezq.exe
2300	drrcplezq.exe
2300	drrcplezq.exe
2720	c2q7vx43b9rpk.exe
2720	c2q7vx43b9rpk.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

drrcplezq.exe

pid process

2300 drrcplezq.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c2q7vx43b9rpk.exe

description pid process

Token: SeDebugPrivilege 2720 c2q7vx43b9rpk.exe

description	pid	process
Token: SeDebugPrivilege	2720	c2q7vx43b9rpk.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

PO13132021.exedrrcplezq.exe

description	pid	process	target process
PID 728 wrote to memory of 2300	728	PO13132021.exe	drrcplezq.exe
PID 728 wrote to memory of 2300	728	PO13132021.exe	drrcplezq.exe
PID 728 wrote to memory of 2300	728	PO13132021.exe	drrcplezq.exe
PID 2300 wrote to memory of 2720	2300	drrcplezq.exe	c2q7vx43b9rpk.exe
PID 2300 wrote to memory of 2720	2300	drrcplezq.exe	c2q7vx43b9rpk.exe
PID 2300 wrote to memory of 2720	2300	drrcplezq.exe	c2q7vx43b9rpk.exe
PID 2300 wrote to memory of 2720	2300	drrcplezq.exe	c2q7vx43b9rpk.exe

C:\Users\Admin\AppData\Local\Temp\PO13132021.exe
"C:\Users\Admin\AppData\Local\Temp\PO13132021.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:728

C:\Users\Admin\AppData\Local\Temp\Nla\drrcplezq.exe
C:\Users\Admin\AppData\Local\Temp\Nla\drrcplezq.exe C:\Users\Admin\AppData\Local\Temp\Nla\zrhnjyesv.c
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\Nla\c2q7vx43b9rpk.exe
C:\Users\Admin\AppData\Local\Temp\Nla\drrcplezq.exe C:\Users\Admin\AppData\Local\Temp\Nla\zrhnjyesv.c
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nla\c2q7vx43b9rpk.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\drrcplezq.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\drrcplezq.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\fnpbob.ifi
MD5
bfccca36e6ddf1276dab182bd14866b1

SHA1
a761fbbf44f2413b9bdf88338e5d83efd14c5677

SHA256
88e396389c3a3f98e26d4be6bad1d827f51373b3fe763b834fa68f8ddad043c8

SHA512
01bd5156925471a9510c5b564ac5f2635608e9bfcc16a6032ecbf649d14940f67933a254257c2c788187ca73dc2df1407c377c0555866debf16d492f165911e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\zrhnjyesv.c
MD5
13fa3a667933772147b7c755a7a51bec

SHA1
4af8159e09b3882de94cf89dc99cd62594f4c88c

SHA256
9ff522191a2f77480cdf7d32e8ddee677cbfe0158844810ec93148c2124ef9c0

SHA512
30a30002aea9df11f2a754e502aad6cf683549cdde5515a3d58cf3b6233511bb9e9a31248a76802038ce20b60e58c174565b49fff7f43b39449c30a4dda1a674

Download Submit
memory/2300-9-0x00000000007D0000-0x00000000007D2000-memory.dmp

Filesize
8KB

Download
memory/2300-2-0x0000000000000000-mapping.dmp

Download
memory/2720-7-0x000000000040188B-mapping.dmp

Download
memory/2720-10-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2720-12-0x00000000001F1000-0x00000000001F2000-memory.dmp

Filesize
4KB

Download
memory/2720-11-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2720-13-0x00000000001F2000-0x00000000001F4000-memory.dmp

Filesize
8KB

Download
memory/2720-14-0x00000000001F7000-0x00000000001F8000-memory.dmp

Filesize
4KB

Download
memory/2720-15-0x00000000001F8000-0x00000000001F9000-memory.dmp

Filesize
4KB

Download
memory/2720-16-0x00000000001FD000-0x00000000001FF000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads