agenttesla | 750c482a5ed1cc058c1bdfc18bc84d963f03cf75103ff66ea3452128a67bcd0e

General

Target

Purchase Order PO63829.exe
Size

356KB
MD5

b8d994b327b1f42d63e6d9e7294853a0
SHA1

5e6f6dfddffa48bdfd9890f68b456482b40d3b8f
SHA256

750c482a5ed1cc058c1bdfc18bc84d963f03cf75103ff66ea3452128a67bcd0e
SHA512

a6441be339ac71ac91f1416aa7ebf408ddc6b490acb4a82532a16a036d299fd49ccc7aa9b631a61091f28b844ea9bfecf4c2698991d04e01b208a99fc54885f3

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1588-57-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla
behavioral1/memory/1588-58-0x000000000040188B-mapping.dmp	family_agenttesla
behavioral1/memory/1588-60-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla

Loads dropped DLL 1 IoCs

Processes:

Purchase Order PO63829.exe

pid process

1360 Purchase Order PO63829.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order PO63829.exe

description pid process target process

PID 1360 set thread context of 1588 1360 Purchase Order PO63829.exe Purchase Order PO63829.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Purchase Order PO63829.exe

pid process

1588 Purchase Order PO63829.exe
1588 Purchase Order PO63829.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

592 dw20.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Purchase Order PO63829.exe

description pid process

Token: SeDebugPrivilege 1588 Purchase Order PO63829.exe

pid	process
1360	Purchase Order PO63829.exe

description	pid	process	target process
PID 1360 set thread context of 1588	1360	Purchase Order PO63829.exe	Purchase Order PO63829.exe

pid	process
1588	Purchase Order PO63829.exe
1588	Purchase Order PO63829.exe

pid	process
592	dw20.exe

description	pid	process
Token: SeDebugPrivilege	1588	Purchase Order PO63829.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Purchase Order PO63829.exePurchase Order PO63829.exe

description	pid	process	target process
PID 1360 wrote to memory of 1588	1360	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1360 wrote to memory of 1588	1360	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1360 wrote to memory of 1588	1360	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1360 wrote to memory of 1588	1360	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1360 wrote to memory of 1588	1360	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1360 wrote to memory of 1588	1360	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1360 wrote to memory of 1588	1360	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1360 wrote to memory of 1588	1360	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1360 wrote to memory of 1588	1360	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1360 wrote to memory of 1588	1360	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1360 wrote to memory of 1588	1360	Purchase Order PO63829.exe	Purchase Order PO63829.exe
PID 1588 wrote to memory of 592	1588	Purchase Order PO63829.exe	dw20.exe
PID 1588 wrote to memory of 592	1588	Purchase Order PO63829.exe	dw20.exe
PID 1588 wrote to memory of 592	1588	Purchase Order PO63829.exe	dw20.exe
PID 1588 wrote to memory of 592	1588	Purchase Order PO63829.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\Purchase Order PO63829.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order PO63829.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\Purchase Order PO63829.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order PO63829.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 508
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsyACB.tmp\cjkxps.dll

MD5
7b019f3a9e8d090da6cba443fd94e6cd

SHA1
ba78720dbd3a43d22a298f9162fd4b7dfd1749f8

SHA256
ccae014473dfa19d867b763bde0529f56b292bf3e225f48c15b2eed6d81983d7

SHA512
21f1a7f7a2fc29726f065b7f6cb913126d1164df75974373d74d131e65499a962ba14e0c7d56d2d733bef4f376c51810987cd3353e800fb8d73a8a23510fa884

Download Submit
memory/592-66-0x0000000000000000-mapping.dmp

Download
memory/592-68-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1360-55-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/1588-57-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1588-58-0x000000000040188B-mapping.dmp

Download
memory/1588-60-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1588-62-0x0000000001F21000-0x0000000001F22000-memory.dmp

Filesize
4KB

Download
memory/1588-63-0x0000000001F22000-0x0000000001F24000-memory.dmp

Filesize
8KB

Download
memory/1588-61-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/1588-64-0x0000000001F27000-0x0000000001F28000-memory.dmp

Filesize
4KB

Download
memory/1588-65-0x0000000001F28000-0x0000000001F29000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing