agenttesla | 2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c

General

Target

2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe
Size

1.0MB
MD5

e534b53d075fe29c9aa3030b7f4cd661
SHA1

7369f1567d017938b715d624d4635f867d24989a
SHA256

2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c
SHA512

ee6ca412f6b8b71d1eadb64ebf8915cda679e2c98fa80cd84119934beea3c75121b2a6bbe8075907b95c77e96698bbf8d383cc59a7dde7931712ecace321c569

Score

10^/10

agenttesla metastealer evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1495483448:AAGd3prw4Kj-_QDn5QOZCeOnj6Y116TT7Wg/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer

AgentTesla Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1548-134-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 1548	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1548	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe
1548	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe
Token: SeDebugPrivilege	1548	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2552	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe	92
PID 2284 wrote to memory of 2552	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe	92
PID 2284 wrote to memory of 2552	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe	92
PID 2284 wrote to memory of 1548	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe	94
PID 2284 wrote to memory of 1548	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe	94
PID 2284 wrote to memory of 1548	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe	94
PID 2284 wrote to memory of 1548	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe	94
PID 2284 wrote to memory of 1548	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe	94
PID 2284 wrote to memory of 1548	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe	94
PID 2284 wrote to memory of 1548	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe	94
PID 2284 wrote to memory of 1548	2284	2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe	94

C:\Users\Admin\AppData\Local\Temp\2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe
"C:\Users\Admin\AppData\Local\Temp\2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YnJVcnIqEAehuo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp49E5.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\2d334ff51483236fa87270be95e77b196989ca1c9bea4d803aa059c4758a917c.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp49E5.tmp

Filesize
1KB

MD5
358489faa7fd758d058064366f94201d

SHA1
1212370560fc8696f295c2aea4f4936648385662

SHA256
606bd2178edcc6f73c26b22e932aa3103643dfd2a578f120d44b5c738d78ad95

SHA512
f676696c2765d0213be1bc5859ee40f85c1be4fdfb848f8b2c46cc84210f6024fb1956aecf70b4756deb83fe829079cac1e9fcbd57a9694a1596cd8fcdd774da

Download Submit
memory/1548-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2284-124-0x0000000000070000-0x000000000017C000-memory.dmp

Filesize
1.0MB

Download
memory/2284-125-0x00000000050B0000-0x0000000005654000-memory.dmp

Filesize
5.6MB

Download
memory/2284-126-0x0000000004BA0000-0x0000000004C32000-memory.dmp

Filesize
584KB

Download
memory/2284-127-0x0000000004B30000-0x0000000004B3A000-memory.dmp

Filesize
40KB

Download
memory/2284-128-0x0000000008780000-0x0000000008CAC000-memory.dmp

Filesize
5.2MB

Download
memory/2284-129-0x0000000000A60000-0x0000000000AFC000-memory.dmp

Filesize
624KB

Download
memory/2284-130-0x00000000086E0000-0x0000000008746000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads