agenttesla | 291694865cd38c0e9b5a2700f1f4a401e263ff9ec402691bf83710b8e5f819b1

General

Target

bbcrypted.exe
Size

724KB
MD5

0bdce81070764a570057b6381f91c225
SHA1

258b9e1189aa620632803aa1ede6cec3c0d7490b
SHA256

fda9cdc6d189a4f40199d09a2cd49522189e9494d6a7a3dc0d5bdd5faddb355a
SHA512

3dc23b61bc6044b99c0438d80aec8697073198731c59762b6e640b9283bd3c21ce9b25e356c4cf263f497ecca573f3d78bac3d56ff6402fb3640212474659866

Score

10^/10

agenttesla agilenet keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 1 IoCs

Processes:

appLaunch.exe

pid process

764 appLaunch.exe
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

948 powershell.exe

pid	process
764	appLaunch.exe

pid	process
948	powershell.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/800-55-0x00000000002E0000-0x00000000002F6000-memory.dmp	agile_net
behavioral1/memory/764-71-0x0000000000370000-0x0000000000386000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\appLaunch = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\appLaunch.exe"	reg.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

bbcrypted.exepowershell.exeappLaunch.exe

pid process

800 bbcrypted.exe
800 bbcrypted.exe
948 powershell.exe
948 powershell.exe
764 appLaunch.exe
764 appLaunch.exe
764 appLaunch.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bbcrypted.exepowershell.exeappLaunch.exe

description pid process

Token: SeDebugPrivilege 800 bbcrypted.exe
Token: SeDebugPrivilege 948 powershell.exe
Token: SeDebugPrivilege 764 appLaunch.exe

pid	process
800	bbcrypted.exe
800	bbcrypted.exe
948	powershell.exe
948	powershell.exe
764	appLaunch.exe
764	appLaunch.exe
764	appLaunch.exe

description	pid	process
Token: SeDebugPrivilege	800	bbcrypted.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	764	appLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

bbcrypted.execmd.exepowershell.exeappLaunch.exe

description	pid	process	target process
PID 800 wrote to memory of 1284	800	bbcrypted.exe	cmd.exe
PID 800 wrote to memory of 1284	800	bbcrypted.exe	cmd.exe
PID 800 wrote to memory of 1284	800	bbcrypted.exe	cmd.exe
PID 800 wrote to memory of 1284	800	bbcrypted.exe	cmd.exe
PID 1284 wrote to memory of 1700	1284	cmd.exe	reg.exe
PID 1284 wrote to memory of 1700	1284	cmd.exe	reg.exe
PID 1284 wrote to memory of 1700	1284	cmd.exe	reg.exe
PID 1284 wrote to memory of 1700	1284	cmd.exe	reg.exe
PID 800 wrote to memory of 948	800	bbcrypted.exe	powershell.exe
PID 800 wrote to memory of 948	800	bbcrypted.exe	powershell.exe
PID 800 wrote to memory of 948	800	bbcrypted.exe	powershell.exe
PID 800 wrote to memory of 948	800	bbcrypted.exe	powershell.exe
PID 948 wrote to memory of 764	948	powershell.exe	appLaunch.exe
PID 948 wrote to memory of 764	948	powershell.exe	appLaunch.exe
PID 948 wrote to memory of 764	948	powershell.exe	appLaunch.exe
PID 948 wrote to memory of 764	948	powershell.exe	appLaunch.exe
PID 948 wrote to memory of 764	948	powershell.exe	appLaunch.exe
PID 948 wrote to memory of 764	948	powershell.exe	appLaunch.exe
PID 948 wrote to memory of 764	948	powershell.exe	appLaunch.exe
PID 764 wrote to memory of 272	764	appLaunch.exe	InstallUtil.exe
PID 764 wrote to memory of 272	764	appLaunch.exe	InstallUtil.exe
PID 764 wrote to memory of 272	764	appLaunch.exe	InstallUtil.exe
PID 764 wrote to memory of 272	764	appLaunch.exe	InstallUtil.exe
PID 764 wrote to memory of 272	764	appLaunch.exe	InstallUtil.exe
PID 764 wrote to memory of 272	764	appLaunch.exe	InstallUtil.exe
PID 764 wrote to memory of 272	764	appLaunch.exe	InstallUtil.exe
PID 764 wrote to memory of 272	764	appLaunch.exe	InstallUtil.exe
PID 764 wrote to memory of 272	764	appLaunch.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\bbcrypted.exe
"C:\Users\Admin\AppData\Local\Temp\bbcrypted.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v appLaunch /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\appLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v appLaunch /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\appLaunch.exe"
    3⤵
    - Adds Run key to start application
    PID:1700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Roaming\appLaunch.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Roaming\appLaunch.exe
    "C:\Users\Admin\AppData\Roaming\appLaunch.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\appLaunch.exe

Filesize
724KB

MD5
0bdce81070764a570057b6381f91c225

SHA1
258b9e1189aa620632803aa1ede6cec3c0d7490b

SHA256
fda9cdc6d189a4f40199d09a2cd49522189e9494d6a7a3dc0d5bdd5faddb355a

SHA512
3dc23b61bc6044b99c0438d80aec8697073198731c59762b6e640b9283bd3c21ce9b25e356c4cf263f497ecca573f3d78bac3d56ff6402fb3640212474659866

Download Submit
C:\Users\Admin\AppData\Roaming\appLaunch.exe

Filesize
724KB

MD5
0bdce81070764a570057b6381f91c225

SHA1
258b9e1189aa620632803aa1ede6cec3c0d7490b

SHA256
fda9cdc6d189a4f40199d09a2cd49522189e9494d6a7a3dc0d5bdd5faddb355a

SHA512
3dc23b61bc6044b99c0438d80aec8697073198731c59762b6e640b9283bd3c21ce9b25e356c4cf263f497ecca573f3d78bac3d56ff6402fb3640212474659866

Download Submit
\Users\Admin\AppData\Roaming\appLaunch.exe

Filesize
724KB

MD5
0bdce81070764a570057b6381f91c225

SHA1
258b9e1189aa620632803aa1ede6cec3c0d7490b

SHA256
fda9cdc6d189a4f40199d09a2cd49522189e9494d6a7a3dc0d5bdd5faddb355a

SHA512
3dc23b61bc6044b99c0438d80aec8697073198731c59762b6e640b9283bd3c21ce9b25e356c4cf263f497ecca573f3d78bac3d56ff6402fb3640212474659866

Download Submit
memory/272-74-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/272-73-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/764-72-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/764-71-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/764-70-0x00000000000E0000-0x000000000019C000-memory.dmp

Filesize
752KB

Download
memory/764-67-0x0000000000000000-mapping.dmp

Download
memory/800-58-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/800-61-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/800-54-0x0000000001070000-0x000000000112C000-memory.dmp

Filesize
752KB

Download
memory/800-57-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/800-56-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/800-55-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/948-64-0x00000000746B0000-0x0000000074C5B000-memory.dmp

Filesize
5.7MB

Download
memory/948-62-0x0000000000000000-mapping.dmp

Download
memory/1284-59-0x0000000000000000-mapping.dmp

Download
memory/1700-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads