agenttesla | 7a4b1e5015937985613975df6c4f2046b0398c6e32ea10b780da1cce61ef3d44

General

Target

COVID-19 Emergency.exe
Size

610KB
MD5

ea4216e97a3007309295e8a7b769208b
SHA1

bf86f6614965d6ebd5d2ea10d46780a86b225c44
SHA256

7a4b1e5015937985613975df6c4f2046b0398c6e32ea10b780da1cce61ef3d44
SHA512

3d13436cfd5ab6db58b017fb7ffa1bfc62cecf9c899a5d880233457f0ac9dd331c37eca300271cdf2ed0cfb6a7e437299861aee3c8635bc33812fbc8830804ff

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1420-56-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla
behavioral1/memory/1420-57-0x000000000040188B-mapping.dmp	family_agenttesla
behavioral1/memory/1420-59-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla

Loads dropped DLL 1 IoCs

Processes:

COVID-19 Emergency.exe

pid process

676 COVID-19 Emergency.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

COVID-19 Emergency.exe

description pid process target process

PID 676 set thread context of 1420 676 COVID-19 Emergency.exe COVID-19 Emergency.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

COVID-19 Emergency.exe

pid process

1420 COVID-19 Emergency.exe
1420 COVID-19 Emergency.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dw20.exe

pid process

1464 dw20.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

COVID-19 Emergency.exe

description pid process

Token: SeDebugPrivilege 1420 COVID-19 Emergency.exe

pid	process
676	COVID-19 Emergency.exe

description	pid	process	target process
PID 676 set thread context of 1420	676	COVID-19 Emergency.exe	COVID-19 Emergency.exe

pid	process
1420	COVID-19 Emergency.exe
1420	COVID-19 Emergency.exe

pid	process
1464	dw20.exe

description	pid	process
Token: SeDebugPrivilege	1420	COVID-19 Emergency.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

COVID-19 Emergency.exeCOVID-19 Emergency.exe

description	pid	process	target process
PID 676 wrote to memory of 1420	676	COVID-19 Emergency.exe	COVID-19 Emergency.exe
PID 676 wrote to memory of 1420	676	COVID-19 Emergency.exe	COVID-19 Emergency.exe
PID 676 wrote to memory of 1420	676	COVID-19 Emergency.exe	COVID-19 Emergency.exe
PID 676 wrote to memory of 1420	676	COVID-19 Emergency.exe	COVID-19 Emergency.exe
PID 676 wrote to memory of 1420	676	COVID-19 Emergency.exe	COVID-19 Emergency.exe
PID 676 wrote to memory of 1420	676	COVID-19 Emergency.exe	COVID-19 Emergency.exe
PID 676 wrote to memory of 1420	676	COVID-19 Emergency.exe	COVID-19 Emergency.exe
PID 676 wrote to memory of 1420	676	COVID-19 Emergency.exe	COVID-19 Emergency.exe
PID 676 wrote to memory of 1420	676	COVID-19 Emergency.exe	COVID-19 Emergency.exe
PID 676 wrote to memory of 1420	676	COVID-19 Emergency.exe	COVID-19 Emergency.exe
PID 676 wrote to memory of 1420	676	COVID-19 Emergency.exe	COVID-19 Emergency.exe
PID 1420 wrote to memory of 1464	1420	COVID-19 Emergency.exe	dw20.exe
PID 1420 wrote to memory of 1464	1420	COVID-19 Emergency.exe	dw20.exe
PID 1420 wrote to memory of 1464	1420	COVID-19 Emergency.exe	dw20.exe
PID 1420 wrote to memory of 1464	1420	COVID-19 Emergency.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\COVID-19 Emergency.exe
"C:\Users\Admin\AppData\Local\Temp\COVID-19 Emergency.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:676
- C:\Users\Admin\AppData\Local\Temp\COVID-19 Emergency.exe
  "C:\Users\Admin\AppData\Local\Temp\COVID-19 Emergency.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 508
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstC0F0.tmp\mzapy.dll

MD5
60ba5cdda738fa3d2f6788f9b433185f

SHA1
0466178daef91d539cf2d10cc803f3e26ade3a29

SHA256
a4d157016a78a53e8af20517ea1fe369bb68ca98f08a71488491b51bfb52012f

SHA512
a4d647880c57ed685fa9c5ec6347ce81b2a53d797d6477e9cd87aed310e920692ebf67adf02e3639b4f1b76720457a6111b50df933b6abe30b472b9a87ac5762

Download Submit
memory/676-54-0x0000000075FA1000-0x0000000075FA3000-memory.dmp

Filesize
8KB

Download
memory/1420-56-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1420-57-0x000000000040188B-mapping.dmp

Download
memory/1420-60-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/1420-61-0x0000000002101000-0x0000000002102000-memory.dmp

Filesize
4KB

Download
memory/1420-59-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1420-62-0x0000000002102000-0x0000000002104000-memory.dmp

Filesize
8KB

Download
memory/1420-63-0x0000000002107000-0x0000000002108000-memory.dmp

Filesize
4KB

Download
memory/1464-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing