agenttesla | d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d

General

Target

d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe
Size

1.3MB
MD5

f8d29431dde6dd65e034b99c29ce9c64
SHA1

0c23620a0070f37794b895c35d7afe1de83bc36f
SHA256

d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d
SHA512

844d18e3694ba0ef27c80bfc7a5638cf221559a4fa7e32383e84e9e0b095bdb342cc751ef8e2f39f6b95d438707bbb083434f753d00dbb2fafb5bd666ab6caae

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1176-64-0x0000000000400000-0x0000000000455000-memory.dmp	family_agenttesla
behavioral1/memory/1176-65-0x0000000000454200-mapping.dmp	family_agenttesla
behavioral1/memory/1716-69-0x0000000000454200-mapping.dmp	family_agenttesla
behavioral1/memory/1300-73-0x0000000000454200-mapping.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

Syqcaa.exeSyqcaa.exe

pid process

1324 Syqcaa.exe
1300 Syqcaa.exe

pid	process
1324	Syqcaa.exe
1300	Syqcaa.exe

Loads dropped DLL 3 IoCs

Processes:

d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe

pid	process
304	d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe
304	d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe
304	d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Syqcaa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Syq = "C:\\Users\\Admin\\AppData\\Local\\Syq\\Syqnb.vbs"	Syqcaa.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Syqcaa.exe

description	pid	process	target process
PID 1324 set thread context of 1176	1324	Syqcaa.exe	TapiUnattend.exe
PID 1324 set thread context of 1716	1324	Syqcaa.exe	sxstrace.exe
PID 1324 set thread context of 1300	1324	Syqcaa.exe	Syqcaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Syqcaa.exe

pid process

1324 Syqcaa.exe
1324 Syqcaa.exe
1324 Syqcaa.exe
1324 Syqcaa.exe
1324 Syqcaa.exe
1324 Syqcaa.exe
1324 Syqcaa.exe
1324 Syqcaa.exe
1324 Syqcaa.exe

pid	process
1324	Syqcaa.exe
1324	Syqcaa.exe
1324	Syqcaa.exe
1324	Syqcaa.exe
1324	Syqcaa.exe
1324	Syqcaa.exe
1324	Syqcaa.exe
1324	Syqcaa.exe
1324	Syqcaa.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exeSyqcaa.exe

description	pid	process	target process
PID 304 wrote to memory of 1324	304	d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe	Syqcaa.exe
PID 304 wrote to memory of 1324	304	d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe	Syqcaa.exe
PID 304 wrote to memory of 1324	304	d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe	Syqcaa.exe
PID 304 wrote to memory of 1324	304	d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe	Syqcaa.exe
PID 1324 wrote to memory of 1176	1324	Syqcaa.exe	TapiUnattend.exe
PID 1324 wrote to memory of 1176	1324	Syqcaa.exe	TapiUnattend.exe
PID 1324 wrote to memory of 1176	1324	Syqcaa.exe	TapiUnattend.exe
PID 1324 wrote to memory of 1176	1324	Syqcaa.exe	TapiUnattend.exe
PID 1324 wrote to memory of 1176	1324	Syqcaa.exe	TapiUnattend.exe
PID 1324 wrote to memory of 1176	1324	Syqcaa.exe	TapiUnattend.exe
PID 1324 wrote to memory of 1716	1324	Syqcaa.exe	sxstrace.exe
PID 1324 wrote to memory of 1716	1324	Syqcaa.exe	sxstrace.exe
PID 1324 wrote to memory of 1716	1324	Syqcaa.exe	sxstrace.exe
PID 1324 wrote to memory of 1716	1324	Syqcaa.exe	sxstrace.exe
PID 1324 wrote to memory of 1716	1324	Syqcaa.exe	sxstrace.exe
PID 1324 wrote to memory of 1716	1324	Syqcaa.exe	sxstrace.exe
PID 1324 wrote to memory of 1300	1324	Syqcaa.exe	Syqcaa.exe
PID 1324 wrote to memory of 1300	1324	Syqcaa.exe	Syqcaa.exe
PID 1324 wrote to memory of 1300	1324	Syqcaa.exe	Syqcaa.exe
PID 1324 wrote to memory of 1300	1324	Syqcaa.exe	Syqcaa.exe
PID 1324 wrote to memory of 1300	1324	Syqcaa.exe	Syqcaa.exe
PID 1324 wrote to memory of 1300	1324	Syqcaa.exe	Syqcaa.exe

C:\Users\Admin\AppData\Local\Temp\d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe
"C:\Users\Admin\AppData\Local\Temp\d32c5920ed9458d43b110e3ed34a54d617e173c76f5841003570a8c9ac95f75d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:304

C:\Users\Admin\AppData\Roaming\Syqcaa.exe
"C:\Users\Admin\AppData\Roaming\Syqcaa.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\TapiUnattend.exe
"C:\Windows\System32\TapiUnattend.exe"
3⤵
PID:1176

C:\Windows\SysWOW64\sxstrace.exe
"C:\Windows\System32\sxstrace.exe"
3⤵
PID:1716

C:\Users\Admin\AppData\Roaming\Syqcaa.exe
"C:\Users\Admin\AppData\Roaming\Syqcaa.exe"
3⤵
- Executes dropped EXE
PID:1300

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Syq.bmp
Filesize
1.1MB

MD5
5d801ad9e4e0968882610093c2da99e4

SHA1
d571efc92376e42b2d52990b46ac56301efe53eb

SHA256
01b6cc5ce5fefee474567d6976a6f1e16bfb7b04b284e1ad016628470a6ea64d

SHA512
dedf3341c2102a8fe89d52d428a4462133e33f1a9342a308af3262c89292bcf9ac49ac7136a9bcf9c01728f4c6a7d62c3aa8ef1be630c4f5f4ae55a72de37465

Download Submit
C:\Users\Admin\AppData\Roaming\Syqcaa.exe
Filesize
489KB

MD5
86788fb5973f81acb9f960562056b4e0

SHA1
649fe2ceeddb5176c9ecf42e9988974b4d6dfa9d

SHA256
ad1c0fcad688cb96556b2794627851defb6ca697e4445d908d69472053aa28e4

SHA512
f492aff12e080eb7f5d36004b10e28c5a4b184f538ad0d68597d85883dc73c59625653aa79034aec83ccd3c4c2ba8112024ade760606f6c1c64b385f8f3e065b

Download Submit
C:\Users\Admin\AppData\Roaming\Syqcaa.exe
Filesize
489KB

MD5
86788fb5973f81acb9f960562056b4e0

SHA1
649fe2ceeddb5176c9ecf42e9988974b4d6dfa9d

SHA256
ad1c0fcad688cb96556b2794627851defb6ca697e4445d908d69472053aa28e4

SHA512
f492aff12e080eb7f5d36004b10e28c5a4b184f538ad0d68597d85883dc73c59625653aa79034aec83ccd3c4c2ba8112024ade760606f6c1c64b385f8f3e065b

Download Submit
C:\Users\Admin\AppData\Roaming\Syqcaa.exe
Filesize
489KB

MD5
86788fb5973f81acb9f960562056b4e0

SHA1
649fe2ceeddb5176c9ecf42e9988974b4d6dfa9d

SHA256
ad1c0fcad688cb96556b2794627851defb6ca697e4445d908d69472053aa28e4

SHA512
f492aff12e080eb7f5d36004b10e28c5a4b184f538ad0d68597d85883dc73c59625653aa79034aec83ccd3c4c2ba8112024ade760606f6c1c64b385f8f3e065b

Download Submit
\Users\Admin\AppData\Roaming\Syqcaa.exe
Filesize
489KB

MD5
86788fb5973f81acb9f960562056b4e0

SHA1
649fe2ceeddb5176c9ecf42e9988974b4d6dfa9d

SHA256
ad1c0fcad688cb96556b2794627851defb6ca697e4445d908d69472053aa28e4

SHA512
f492aff12e080eb7f5d36004b10e28c5a4b184f538ad0d68597d85883dc73c59625653aa79034aec83ccd3c4c2ba8112024ade760606f6c1c64b385f8f3e065b

Download Submit
\Users\Admin\AppData\Roaming\Syqcaa.exe
Filesize
489KB

MD5
86788fb5973f81acb9f960562056b4e0

SHA1
649fe2ceeddb5176c9ecf42e9988974b4d6dfa9d

SHA256
ad1c0fcad688cb96556b2794627851defb6ca697e4445d908d69472053aa28e4

SHA512
f492aff12e080eb7f5d36004b10e28c5a4b184f538ad0d68597d85883dc73c59625653aa79034aec83ccd3c4c2ba8112024ade760606f6c1c64b385f8f3e065b

Download Submit
\Users\Admin\AppData\Roaming\Syqcaa.exe
Filesize
489KB

MD5
86788fb5973f81acb9f960562056b4e0

SHA1
649fe2ceeddb5176c9ecf42e9988974b4d6dfa9d

SHA256
ad1c0fcad688cb96556b2794627851defb6ca697e4445d908d69472053aa28e4

SHA512
f492aff12e080eb7f5d36004b10e28c5a4b184f538ad0d68597d85883dc73c59625653aa79034aec83ccd3c4c2ba8112024ade760606f6c1c64b385f8f3e065b

Download Submit
memory/304-54-0x0000000075311000-0x0000000075313000-memory.dmp

Filesize
8KB

Download
memory/1176-62-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1176-64-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1176-65-0x0000000000454200-mapping.dmp

Download
memory/1300-73-0x0000000000454200-mapping.dmp

Download
memory/1324-58-0x0000000000000000-mapping.dmp

Download
memory/1716-69-0x0000000000454200-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads