agenttesla | 1321e390a0141decaf5a8dab00fe02bc111ece34f446115842c6afa068c7fd3c

Analysis

max time kernel
150s
max time network
91s
platform
windows7_x64
resource
win7v20201028
submitted
28-01-2021 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HTG-69784869.exe
Size

778KB
MD5

652a7d27ddd37e4ce384bc1957c00b9e
SHA1

fe2e68496eed6e1f789e1befe4f4d349d12e4143
SHA256

1321e390a0141decaf5a8dab00fe02bc111ece34f446115842c6afa068c7fd3c
SHA512

536aee0303b8379c57a921c4a504f81d70c73634bb2d34516b3b71943d2e8f5caf59f44de5b67e7838dd1909bb82d0c77aa9a14fb0a36a2321d9e5506e641cd1

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1788-15-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

pscvelqdj.exe987tlsr.exe

pid process

1568 pscvelqdj.exe
1788 987tlsr.exe
Loads dropped DLL 5 IoCs

Processes:

HTG-69784869.exepscvelqdj.exedw20.exe

pid process

2008 HTG-69784869.exe
1568 pscvelqdj.exe
328 dw20.exe
328 dw20.exe
328 dw20.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

pscvelqdj.exe

description pid process target process

PID 1568 set thread context of 1788 1568 pscvelqdj.exe 987tlsr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pscvelqdj.exe987tlsr.exe

pid process

1568 pscvelqdj.exe
1568 pscvelqdj.exe
1568 pscvelqdj.exe
1568 pscvelqdj.exe
1788 987tlsr.exe
1788 987tlsr.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pscvelqdj.exe

pid process

1568 pscvelqdj.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

987tlsr.exe

description pid process

Token: SeDebugPrivilege 1788 987tlsr.exe

pid	process
1568	pscvelqdj.exe
1788	987tlsr.exe

pid	process
2008	HTG-69784869.exe
1568	pscvelqdj.exe
328	dw20.exe
328	dw20.exe
328	dw20.exe

description	pid	process	target process
PID 1568 set thread context of 1788	1568	pscvelqdj.exe	987tlsr.exe

pid	process
1568	pscvelqdj.exe
1568	pscvelqdj.exe
1568	pscvelqdj.exe
1568	pscvelqdj.exe
1788	987tlsr.exe
1788	987tlsr.exe

pid	process
1568	pscvelqdj.exe

description	pid	process
Token: SeDebugPrivilege	1788	987tlsr.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

HTG-69784869.exepscvelqdj.exe987tlsr.exe

description	pid	process	target process
PID 2008 wrote to memory of 1568	2008	HTG-69784869.exe	pscvelqdj.exe
PID 2008 wrote to memory of 1568	2008	HTG-69784869.exe	pscvelqdj.exe
PID 2008 wrote to memory of 1568	2008	HTG-69784869.exe	pscvelqdj.exe
PID 2008 wrote to memory of 1568	2008	HTG-69784869.exe	pscvelqdj.exe
PID 1568 wrote to memory of 1788	1568	pscvelqdj.exe	987tlsr.exe
PID 1568 wrote to memory of 1788	1568	pscvelqdj.exe	987tlsr.exe
PID 1568 wrote to memory of 1788	1568	pscvelqdj.exe	987tlsr.exe
PID 1568 wrote to memory of 1788	1568	pscvelqdj.exe	987tlsr.exe
PID 1568 wrote to memory of 1788	1568	pscvelqdj.exe	987tlsr.exe
PID 1788 wrote to memory of 328	1788	987tlsr.exe	dw20.exe
PID 1788 wrote to memory of 328	1788	987tlsr.exe	dw20.exe
PID 1788 wrote to memory of 328	1788	987tlsr.exe	dw20.exe
PID 1788 wrote to memory of 328	1788	987tlsr.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\HTG-69784869.exe
"C:\Users\Admin\AppData\Local\Temp\HTG-69784869.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\pscvelqdj.exe
C:\Users\Admin\AppData\Local\Temp\pscvelqdj.exe C:\Users\Admin\AppData\Local\Temp\tcpgayny.w
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\987tlsr.exe
C:\Users\Admin\AppData\Local\Temp\pscvelqdj.exe C:\Users\Admin\AppData\Local\Temp\tcpgayny.w
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 508
4⤵
- Loads dropped DLL
PID:328

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\987tlsr.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\987tlsr.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pscvelqdj.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pscvelqdj.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcpgayny.w
MD5
6ae0b4f6ae333dfe33829ea82061ca51

SHA1
41385437464d9140225d857018ad1e137abec176

SHA256
820378722e43cd9b762dcbfc7998f4e4386b321094caaa783394a19362701af6

SHA512
779a4fef5ca308840fc273f6439dd6845475fb3f28a5fcfbdd438fb6647c7f7f5307dc6eeb974108813172401b19330c78c5b6c07f27355fbec001db2056efbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxcdnq.qjp
MD5
50974f348d2efa2973548fad944c5945

SHA1
78b80e51f91d62e842c498088c29877bab3c9140

SHA256
fbbba0bbfc07689097f510175993ce8325e417d295ff009c534a533ee7aa2bbf

SHA512
e3c72cb6f4c1a21e511d8c84948ee9109b43974ae0f8490c3387c5e8978d92777fc73cebe901a2211e2b35d5e727f2c1ea01ae67dd8f78bb026178df53cabb71

Download Submit
\Users\Admin\AppData\Local\Temp\987tlsr.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\987tlsr.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\987tlsr.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\987tlsr.exe
MD5
535dd1329aef11bf4654b3270f026d5b

SHA1
9c84de0bde8333f852120ab40710545b3f799300

SHA256
b31445fc4b8803d1b7122a6563002cfe3e925ffd1fdc9b84fba6fc78f6a8b955

SHA512
a552e20a09a796a6e3e18dece308880069c958cf9136bb4fc3ee726d6bc9b2f8eddbcff06ff9f9ded4dd268f5d0f39d516ad42ecce6455a4bf5cf4f3cb4c4ecc

Download Submit
\Users\Admin\AppData\Local\Temp\pscvelqdj.exe
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/328-22-0x0000000002070000-0x0000000002081000-memory.dmp

Filesize
68KB

Download
memory/328-21-0x0000000000000000-mapping.dmp

Download
memory/328-29-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/328-26-0x0000000002340000-0x0000000002351000-memory.dmp

Filesize
68KB

Download
memory/1568-4-0x0000000000000000-mapping.dmp

Download
memory/1568-14-0x0000000000210000-0x0000000000212000-memory.dmp

Filesize
8KB

Download
memory/1788-11-0x000000000040188B-mapping.dmp

Download
memory/1788-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1788-20-0x0000000000318000-0x0000000000319000-memory.dmp

Filesize
4KB

Download
memory/1788-16-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1788-18-0x0000000000312000-0x0000000000314000-memory.dmp

Filesize
8KB

Download
memory/1788-19-0x0000000000317000-0x0000000000318000-memory.dmp

Filesize
4KB

Download
memory/1788-17-0x0000000000311000-0x0000000000312000-memory.dmp

Filesize
4KB

Download
memory/2008-2-0x0000000075EA1000-0x0000000075EA3000-memory.dmp

Filesize
8KB

Download