agenttesla | 3d77a5226e3fcb836c244e51904fd7746f9afd2b5594935eed7d6483238d8b04

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7v20201028
submitted
26-01-2021 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-9087.exe

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1972-15-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

sekcqfb.exerttty72nv.exe

pid process

1500 sekcqfb.exe
1972 rttty72nv.exe
Loads dropped DLL 5 IoCs

Processes:

ORDER-9087.exesekcqfb.exedw20.exe

pid process

1732 ORDER-9087.exe
1500 sekcqfb.exe
1692 dw20.exe
1692 dw20.exe
1692 dw20.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

sekcqfb.exe

description pid process target process

PID 1500 set thread context of 1972 1500 sekcqfb.exe rttty72nv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

sekcqfb.exerttty72nv.exe

pid process

1500 sekcqfb.exe
1500 sekcqfb.exe
1500 sekcqfb.exe
1500 sekcqfb.exe
1972 rttty72nv.exe
1972 rttty72nv.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

1692 dw20.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

sekcqfb.exe

pid process

1500 sekcqfb.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rttty72nv.exe

description pid process

Token: SeDebugPrivilege 1972 rttty72nv.exe

pid	process
1500	sekcqfb.exe
1972	rttty72nv.exe

pid	process
1732	ORDER-9087.exe
1500	sekcqfb.exe
1692	dw20.exe
1692	dw20.exe
1692	dw20.exe

description	pid	process	target process
PID 1500 set thread context of 1972	1500	sekcqfb.exe	rttty72nv.exe

pid	process
1500	sekcqfb.exe
1500	sekcqfb.exe
1500	sekcqfb.exe
1500	sekcqfb.exe
1972	rttty72nv.exe
1972	rttty72nv.exe

pid	process
1692	dw20.exe

pid	process
1500	sekcqfb.exe

description	pid	process
Token: SeDebugPrivilege	1972	rttty72nv.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

ORDER-9087.exesekcqfb.exerttty72nv.exe

description	pid	process	target process
PID 1732 wrote to memory of 1500	1732	ORDER-9087.exe	sekcqfb.exe
PID 1732 wrote to memory of 1500	1732	ORDER-9087.exe	sekcqfb.exe
PID 1732 wrote to memory of 1500	1732	ORDER-9087.exe	sekcqfb.exe
PID 1732 wrote to memory of 1500	1732	ORDER-9087.exe	sekcqfb.exe
PID 1500 wrote to memory of 1972	1500	sekcqfb.exe	rttty72nv.exe
PID 1500 wrote to memory of 1972	1500	sekcqfb.exe	rttty72nv.exe
PID 1500 wrote to memory of 1972	1500	sekcqfb.exe	rttty72nv.exe
PID 1500 wrote to memory of 1972	1500	sekcqfb.exe	rttty72nv.exe
PID 1500 wrote to memory of 1972	1500	sekcqfb.exe	rttty72nv.exe
PID 1972 wrote to memory of 1692	1972	rttty72nv.exe	dw20.exe
PID 1972 wrote to memory of 1692	1972	rttty72nv.exe	dw20.exe
PID 1972 wrote to memory of 1692	1972	rttty72nv.exe	dw20.exe
PID 1972 wrote to memory of 1692	1972	rttty72nv.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\ORDER-9087.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER-9087.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\Nla\sekcqfb.exe
C:\Users\Admin\AppData\Local\Temp\Nla\sekcqfb.exe C:\Users\Admin\AppData\Local\Temp\Nla\dragubcuw.vza
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\Nla\rttty72nv.exe
C:\Users\Admin\AppData\Local\Temp\Nla\sekcqfb.exe C:\Users\Admin\AppData\Local\Temp\Nla\dragubcuw.vza
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 508
4⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1692

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nla\dragubcuw.vza
MD5
35c8169a76f07c2ef9cc306aae3a923f

SHA1
e4bdc01083c6938d0b1fa6341c2412aa34dfb37b

SHA256
946ef660c14f1a9c817553ff1f264e4fd5bd272a857c99ea9798c727e75a73e2

SHA512
49439919d46549908d2022c886b770ea9aeff350a5258cbae5f4e14c2ab9eb8098f3aaa6322cec0f6641fcc0de676eb83ecba4644aa07cc397614beab6fcbe0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\rttty72nv.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\rttty72nv.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\sekcqfb.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\sekcqfb.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nla\ysnzsszv.cg
MD5
a1c890effda03ce27a5df996d7692fa3

SHA1
2dafe7a1f6f86f5ef0f692d8093e92e07c445f4d

SHA256
eeb0d64753cf0d3942f37930dd2f37d3a7111688bf106a9068734f9cfa42280b

SHA512
9ded8ea17c20a31ce43085d2808618efaeb425a72b48eb11878b23bb2024cabb3b78cf72429fe46ae87eb1f64eddd0b18a23c48bedc0a16fee78fbb33e23af06

Download Submit
\Users\Admin\AppData\Local\Temp\Nla\rttty72nv.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\Nla\rttty72nv.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\Nla\rttty72nv.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\Nla\rttty72nv.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\Nla\sekcqfb.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1500-4-0x0000000000000000-mapping.dmp

Download
memory/1500-14-0x0000000000190000-0x0000000000192000-memory.dmp

Filesize
8KB

Download
memory/1692-22-0x0000000001FB0000-0x0000000001FC1000-memory.dmp

Filesize
68KB

Download
memory/1692-21-0x0000000000000000-mapping.dmp

Download
memory/1692-26-0x0000000002380000-0x0000000002391000-memory.dmp

Filesize
68KB

Download
memory/1692-30-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1732-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1972-19-0x0000000000267000-0x0000000000268000-memory.dmp

Filesize
4KB

Download
memory/1972-20-0x0000000000268000-0x0000000000269000-memory.dmp

Filesize
4KB

Download
memory/1972-18-0x0000000000262000-0x0000000000264000-memory.dmp

Filesize
8KB

Download
memory/1972-17-0x0000000000261000-0x0000000000262000-memory.dmp

Filesize
4KB

Download
memory/1972-16-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1972-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1972-11-0x000000000040188B-mapping.dmp

Download