agenttesla | 26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70

Analysis

max time kernel
10s
max time network
9s
platform
windows7_x64
resource
win7v20201028
submitted
28-01-2021 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order List SYINDAC_pdf.exe
Size

778KB
MD5

8f3822b0efdca3e1e7f4b56ea55de84c
SHA1

9ff92dd22877ae392fc8bd717916fb71198b913a
SHA256

26dad1e44b5d06bcee5cddb288e3cd623da7bfd1d44a68661e27796f32e3de70
SHA512

27d7fb388270bbaa7698fa1d8df8016e3170310fc0ec079f1af5a6e8766867019f6cd591ea8a96ed13f13aca123e2390eef503e9e852f6ea22010b79ab7e8e0f

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1168-15-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

dytvqp.exebc1162ts.exe

pid process

1928 dytvqp.exe
1168 bc1162ts.exe
Loads dropped DLL 5 IoCs

Processes:

Order List SYINDAC_pdf.exedytvqp.exedw20.exe

pid process

1724 Order List SYINDAC_pdf.exe
1928 dytvqp.exe
1324 dw20.exe
1324 dw20.exe
1324 dw20.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dytvqp.exe

description pid process target process

PID 1928 set thread context of 1168 1928 dytvqp.exe bc1162ts.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

dytvqp.exebc1162ts.exe

pid process

1928 dytvqp.exe
1928 dytvqp.exe
1928 dytvqp.exe
1928 dytvqp.exe
1168 bc1162ts.exe
1168 bc1162ts.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

dytvqp.exe

pid process

1928 dytvqp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bc1162ts.exe

description pid process

Token: SeDebugPrivilege 1168 bc1162ts.exe

pid	process
1928	dytvqp.exe
1168	bc1162ts.exe

pid	process
1724	Order List SYINDAC_pdf.exe
1928	dytvqp.exe
1324	dw20.exe
1324	dw20.exe
1324	dw20.exe

description	pid	process	target process
PID 1928 set thread context of 1168	1928	dytvqp.exe	bc1162ts.exe

pid	process
1928	dytvqp.exe
1928	dytvqp.exe
1928	dytvqp.exe
1928	dytvqp.exe
1168	bc1162ts.exe
1168	bc1162ts.exe

pid	process
1928	dytvqp.exe

description	pid	process
Token: SeDebugPrivilege	1168	bc1162ts.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Order List SYINDAC_pdf.exedytvqp.exebc1162ts.exe

description	pid	process	target process
PID 1724 wrote to memory of 1928	1724	Order List SYINDAC_pdf.exe	dytvqp.exe
PID 1724 wrote to memory of 1928	1724	Order List SYINDAC_pdf.exe	dytvqp.exe
PID 1724 wrote to memory of 1928	1724	Order List SYINDAC_pdf.exe	dytvqp.exe
PID 1724 wrote to memory of 1928	1724	Order List SYINDAC_pdf.exe	dytvqp.exe
PID 1928 wrote to memory of 1168	1928	dytvqp.exe	bc1162ts.exe
PID 1928 wrote to memory of 1168	1928	dytvqp.exe	bc1162ts.exe
PID 1928 wrote to memory of 1168	1928	dytvqp.exe	bc1162ts.exe
PID 1928 wrote to memory of 1168	1928	dytvqp.exe	bc1162ts.exe
PID 1928 wrote to memory of 1168	1928	dytvqp.exe	bc1162ts.exe
PID 1168 wrote to memory of 1324	1168	bc1162ts.exe	dw20.exe
PID 1168 wrote to memory of 1324	1168	bc1162ts.exe	dw20.exe
PID 1168 wrote to memory of 1324	1168	bc1162ts.exe	dw20.exe
PID 1168 wrote to memory of 1324	1168	bc1162ts.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\Order List SYINDAC_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Order List SYINDAC_pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\dytvqp.exe
C:\Users\Admin\AppData\Local\Temp\dytvqp.exe C:\Users\Admin\AppData\Local\Temp\kespior.rfy
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\bc1162ts.exe
C:\Users\Admin\AppData\Local\Temp\dytvqp.exe C:\Users\Admin\AppData\Local\Temp\kespior.rfy
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 508
4⤵
- Loads dropped DLL
PID:1324

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bc1162ts.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc1162ts.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dytvqp.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dytvqp.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kespior.rfy
MD5
c3949144bb72c297522c2e6fdcdbea57

SHA1
4a371154a20b528fa05c4fa2eef1750c9db5ac72

SHA256
06c107c749c694657cb4db1d1435b1900b8a7a6865f749922a0566e281061129

SHA512
1cc83e93665080aebb47ae169f6f3c7dfe349fa9f49ce3a0b81ac9c6b77a49656742125e9d4fd201ca94a1a5a7c7f4eb260e451e54e7960518ba2ec17ff855d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\owxklbaafv.toy
MD5
2f94a5162c3f9ff2d64f3070fc744cf1

SHA1
1cea9317442d006b88764988190d43c9204a4e21

SHA256
f5a997fa019287568e2eae7bc4712517ee5584c7edf51b5776243d1bbd4d6d3d

SHA512
a47a3e13c2144194a77dfe599c064f81b50c2df2bd0b12578f5e6a75b3aebec996d699d1899afc4a3e1edc3151cbb16f6b3625bd912383982c70fa09cab6b9f0

Download Submit
\Users\Admin\AppData\Local\Temp\bc1162ts.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\bc1162ts.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\bc1162ts.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\bc1162ts.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\dytvqp.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1168-17-0x0000000002361000-0x0000000002362000-memory.dmp

Filesize
4KB

Download
memory/1168-11-0x000000000040188B-mapping.dmp

Download
memory/1168-16-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1168-20-0x0000000002368000-0x0000000002369000-memory.dmp

Filesize
4KB

Download
memory/1168-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1168-18-0x0000000002362000-0x0000000002364000-memory.dmp

Filesize
8KB

Download
memory/1168-19-0x0000000002367000-0x0000000002368000-memory.dmp

Filesize
4KB

Download
memory/1324-22-0x0000000001E30000-0x0000000001E41000-memory.dmp

Filesize
68KB

Download
memory/1324-21-0x0000000000000000-mapping.dmp

Download
memory/1324-26-0x0000000002300000-0x0000000002311000-memory.dmp

Filesize
68KB

Download
memory/1324-29-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1928-14-0x0000000000290000-0x0000000000292000-memory.dmp

Filesize
8KB

Download
memory/1928-4-0x0000000000000000-mapping.dmp

Download