agenttesla | 27835347fbef2d9391f2c463b367b56778946b2b64cd504961155f288f101037

Analysis

max time kernel
55s
max time network
13s
platform
windows7_x64
resource
win7v20201028
submitted
28-01-2021 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0007334.xlsx (~2.2 MB).exe
Size

778KB
MD5

284989f47cbc30eaa179357f03335df7
SHA1

5fe3595529dfae1e3b908fe235bb232ac84c0629
SHA256

27835347fbef2d9391f2c463b367b56778946b2b64cd504961155f288f101037
SHA512

cfb51f200707a45c78686fa0f3cb7666b2df1b3093975a6b9433709ff2881b5957a5d97b04d21357997b1859cae8d9f0efebe6ed63a380b2878f2fb734172b4d

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2016-15-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

lnogrsyiy.exejmf6tkehw9.exe

pid process

1468 lnogrsyiy.exe
2016 jmf6tkehw9.exe
Loads dropped DLL 5 IoCs

Processes:

0007334.xlsx (~2.2 MB).exelnogrsyiy.exedw20.exe

pid process

324 0007334.xlsx (~2.2 MB).exe
1468 lnogrsyiy.exe
888 dw20.exe
888 dw20.exe
888 dw20.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

lnogrsyiy.exe

description pid process target process

PID 1468 set thread context of 2016 1468 lnogrsyiy.exe jmf6tkehw9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

lnogrsyiy.exejmf6tkehw9.exe

pid process

1468 lnogrsyiy.exe
1468 lnogrsyiy.exe
1468 lnogrsyiy.exe
1468 lnogrsyiy.exe
2016 jmf6tkehw9.exe
2016 jmf6tkehw9.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

lnogrsyiy.exe

pid process

1468 lnogrsyiy.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

jmf6tkehw9.exe

description pid process

Token: SeDebugPrivilege 2016 jmf6tkehw9.exe

pid	process
1468	lnogrsyiy.exe
2016	jmf6tkehw9.exe

pid	process
324	0007334.xlsx (~2.2 MB).exe
1468	lnogrsyiy.exe
888	dw20.exe
888	dw20.exe
888	dw20.exe

description	pid	process	target process
PID 1468 set thread context of 2016	1468	lnogrsyiy.exe	jmf6tkehw9.exe

pid	process
1468	lnogrsyiy.exe
1468	lnogrsyiy.exe
1468	lnogrsyiy.exe
1468	lnogrsyiy.exe
2016	jmf6tkehw9.exe
2016	jmf6tkehw9.exe

pid	process
1468	lnogrsyiy.exe

description	pid	process
Token: SeDebugPrivilege	2016	jmf6tkehw9.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0007334.xlsx (~2.2 MB).exelnogrsyiy.exejmf6tkehw9.exe

description	pid	process	target process
PID 324 wrote to memory of 1468	324	0007334.xlsx (~2.2 MB).exe	lnogrsyiy.exe
PID 324 wrote to memory of 1468	324	0007334.xlsx (~2.2 MB).exe	lnogrsyiy.exe
PID 324 wrote to memory of 1468	324	0007334.xlsx (~2.2 MB).exe	lnogrsyiy.exe
PID 324 wrote to memory of 1468	324	0007334.xlsx (~2.2 MB).exe	lnogrsyiy.exe
PID 1468 wrote to memory of 2016	1468	lnogrsyiy.exe	jmf6tkehw9.exe
PID 1468 wrote to memory of 2016	1468	lnogrsyiy.exe	jmf6tkehw9.exe
PID 1468 wrote to memory of 2016	1468	lnogrsyiy.exe	jmf6tkehw9.exe
PID 1468 wrote to memory of 2016	1468	lnogrsyiy.exe	jmf6tkehw9.exe
PID 1468 wrote to memory of 2016	1468	lnogrsyiy.exe	jmf6tkehw9.exe
PID 2016 wrote to memory of 888	2016	jmf6tkehw9.exe	dw20.exe
PID 2016 wrote to memory of 888	2016	jmf6tkehw9.exe	dw20.exe
PID 2016 wrote to memory of 888	2016	jmf6tkehw9.exe	dw20.exe
PID 2016 wrote to memory of 888	2016	jmf6tkehw9.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\0007334.xlsx (~2.2 MB).exe
"C:\Users\Admin\AppData\Local\Temp\0007334.xlsx (~2.2 MB).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\lnogrsyiy.exe
C:\Users\Admin\AppData\Local\Temp\lnogrsyiy.exe C:\Users\Admin\AppData\Local\Temp\yegqj.tj
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1468

C:\Users\Admin\AppData\Local\Temp\jmf6tkehw9.exe
C:\Users\Admin\AppData\Local\Temp\lnogrsyiy.exe C:\Users\Admin\AppData\Local\Temp\yegqj.tj
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 508
4⤵
- Loads dropped DLL
PID:888

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jmf6tkehw9.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jmf6tkehw9.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnogrsyiy.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnogrsyiy.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwqrftmm.q
MD5
83e4950e513919c78f4a9bf4dbc04c08

SHA1
cae9a52fee439040e36ef28899404da14e1dc7f0

SHA256
0e297bcb3da75d0436488132509a335a1503aaeb783a80fe151233cabad42bd8

SHA512
8f9ab858af4d5929cc2972487638bb446c85fbe1b926f793c9d92bf0f3c42da4b978036724fcdd53c473ba88d96b2543daaade8518fab87d61f89d103f96bda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yegqj.tj
MD5
d1dbcb5fa281fbfe034e6d63ac7c0efc

SHA1
a6f406170d8b69ee2a4b4da3650af20397eb6386

SHA256
569774e749baef7e9af3e729a6465df797fb0421b1107adebc212b046a305780

SHA512
d7300642686ec934ef6e96b137944557d6508e343e047ab49944a43b8376cbcf1d4be9994a337e2d36fc2b3f7599da469f4b5ad3ec57d753d15930d317365b21

Download Submit
\Users\Admin\AppData\Local\Temp\jmf6tkehw9.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\jmf6tkehw9.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\jmf6tkehw9.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\jmf6tkehw9.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\lnogrsyiy.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/324-2-0x00000000766C1000-0x00000000766C3000-memory.dmp

Filesize
8KB

Download
memory/888-22-0x0000000001E50000-0x0000000001E61000-memory.dmp

Filesize
68KB

Download
memory/888-32-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/888-28-0x0000000002320000-0x0000000002331000-memory.dmp

Filesize
68KB

Download
memory/888-21-0x0000000000000000-mapping.dmp

Download
memory/888-25-0x0000000001E50000-0x0000000001E61000-memory.dmp

Filesize
68KB

Download
memory/1468-11-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1468-4-0x0000000000000000-mapping.dmp

Download
memory/2016-16-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/2016-17-0x0000000002291000-0x0000000002292000-memory.dmp

Filesize
4KB

Download
memory/2016-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2016-12-0x000000000040188B-mapping.dmp

Download
memory/2016-20-0x0000000002298000-0x0000000002299000-memory.dmp

Filesize
4KB

Download
memory/2016-18-0x0000000002292000-0x0000000002294000-memory.dmp

Filesize
8KB

Download
memory/2016-19-0x0000000002297000-0x0000000002298000-memory.dmp

Filesize
4KB

Download