agenttesla | 4a9006cf3b6e40360af21fbc2c9c419a58212f9fc06cb2a534240790a2e6dbac

Analysis

max time kernel
137s
max time network
39s
platform
windows7_x64
resource
win7v20201028
submitted
26-01-2021 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 1 IoCs

Processes:

InstallUtil.exe

pid process

1504 InstallUtil.exe
Loads dropped DLL 1 IoCs

Processes:

5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe

pid process

1740 5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1504	InstallUtil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\newapp = "C:\\Users\\Admin\\AppData\\Roaming\\newapp\\newapp.exe"	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe

description	pid	process	target process
PID 1740 set thread context of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exeInstallUtil.exe

pid	process
1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe
1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe
1504	InstallUtil.exe
1504	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe
Token: SeDebugPrivilege	1504	InstallUtil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

1504 InstallUtil.exe

pid	process
1504	InstallUtil.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe

description	pid	process	target process
PID 1740 wrote to memory of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe
PID 1740 wrote to memory of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe
PID 1740 wrote to memory of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe
PID 1740 wrote to memory of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe
PID 1740 wrote to memory of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe
PID 1740 wrote to memory of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe
PID 1740 wrote to memory of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe
PID 1740 wrote to memory of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe
PID 1740 wrote to memory of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe
PID 1740 wrote to memory of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe
PID 1740 wrote to memory of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe
PID 1740 wrote to memory of 1504	1740	5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe
"C:\Users\Admin\AppData\Local\Temp\5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
memory/1504-14-0x000000000043759E-mapping.dmp

Download
memory/1504-22-0x0000000004AC1000-0x0000000004AC2000-memory.dmp

Filesize
4KB

Download
memory/1504-21-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/1504-19-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/1504-18-0x0000000073470000-0x0000000073B5E000-memory.dmp

Filesize
6.9MB

Download
memory/1504-16-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/1740-8-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1740-12-0x0000000004A81000-0x0000000004A82000-memory.dmp

Filesize
4KB

Download
memory/1740-10-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/1740-9-0x0000000000580000-0x000000000058B000-memory.dmp

Filesize
44KB

Download
memory/1740-2-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/1740-7-0x00000000003B0000-0x00000000003CE000-memory.dmp

Filesize
120KB

Download
memory/1740-5-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/1740-3-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download