agenttesla | e6ecdaef474a3ea4407eae99ea219723f686756f42cf6bcff199f34677be8a20

General

Target

swif.exe
Size

440KB
MD5

ceae6fe1fbf29a7edc7e4bdc0fa1e90d
SHA1

0ce8bcf3606890d226454341edd131f025f11d3f
SHA256

e6ecdaef474a3ea4407eae99ea219723f686756f42cf6bcff199f34677be8a20
SHA512

50b3189b566cf32657510e9b67b90c4cc25e1ec107fdb6bf268bc5b333839dc854a8993ebb3f1a8457a80a89234931e09dbf11e20cc1cd4b0fbdcc709a222c0e

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1404-55-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla
behavioral1/memory/1404-56-0x000000000040188B-mapping.dmp	family_agenttesla
behavioral1/memory/1404-58-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla

Loads dropped DLL 1 IoCs

Processes:

swif.exe

pid process

2024 swif.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

swif.exe

description pid process target process

PID 2024 set thread context of 1404 2024 swif.exe swif.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

swif.exe

pid process

1404 swif.exe
1404 swif.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

324 dw20.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

swif.exe

description pid process

Token: SeDebugPrivilege 1404 swif.exe

pid	process
2024	swif.exe

description	pid	process	target process
PID 2024 set thread context of 1404	2024	swif.exe	swif.exe

pid	process
1404	swif.exe
1404	swif.exe

pid	process
324	dw20.exe

description	pid	process
Token: SeDebugPrivilege	1404	swif.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

swif.exeswif.exe

description	pid	process	target process
PID 2024 wrote to memory of 1404	2024	swif.exe	swif.exe
PID 2024 wrote to memory of 1404	2024	swif.exe	swif.exe
PID 2024 wrote to memory of 1404	2024	swif.exe	swif.exe
PID 2024 wrote to memory of 1404	2024	swif.exe	swif.exe
PID 2024 wrote to memory of 1404	2024	swif.exe	swif.exe
PID 2024 wrote to memory of 1404	2024	swif.exe	swif.exe
PID 2024 wrote to memory of 1404	2024	swif.exe	swif.exe
PID 2024 wrote to memory of 1404	2024	swif.exe	swif.exe
PID 2024 wrote to memory of 1404	2024	swif.exe	swif.exe
PID 2024 wrote to memory of 1404	2024	swif.exe	swif.exe
PID 2024 wrote to memory of 1404	2024	swif.exe	swif.exe
PID 1404 wrote to memory of 324	1404	swif.exe	dw20.exe
PID 1404 wrote to memory of 324	1404	swif.exe	dw20.exe
PID 1404 wrote to memory of 324	1404	swif.exe	dw20.exe
PID 1404 wrote to memory of 324	1404	swif.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\swif.exe
"C:\Users\Admin\AppData\Local\Temp\swif.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\swif.exe
  "C:\Users\Admin\AppData\Local\Temp\swif.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 508
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyF133.tmp\apcvw.dll

MD5
d9a3dbd5ccd605e72789888cb1bd1070

SHA1
72d6ea339a1d9d2736d50df39379e5d001fc281a

SHA256
c762e080806c747ed7629a1f870cf413b4bf68e4390899a79c27de90e010b7f2

SHA512
199bce599d749a187157c8692d98fd03fc1f446726b241f3b1f1d3bdf6156095ad767c9b204e6df640484e801120a0befb8e574bd9917e22f39d12b2882f4ef4

Download Submit
memory/324-64-0x0000000000000000-mapping.dmp

Download
memory/324-66-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1404-55-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1404-56-0x000000000040188B-mapping.dmp

Download
memory/1404-59-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/1404-60-0x0000000001E61000-0x0000000001E62000-memory.dmp

Filesize
4KB

Download
memory/1404-61-0x0000000001E62000-0x0000000001E64000-memory.dmp

Filesize
8KB

Download
memory/1404-62-0x0000000001E67000-0x0000000001E68000-memory.dmp

Filesize
4KB

Download
memory/1404-58-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1404-63-0x0000000001E68000-0x0000000001E69000-memory.dmp

Filesize
4KB

Download
memory/2024-53-0x0000000075821000-0x0000000075823000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing