agenttesla | fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48

General

Target

fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe
Size

537KB
MD5

03e287ec10c07c45c359c024d423debc
SHA1

3c13bb9709fa850d6eb76a150f19840043935a39
SHA256

fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48
SHA512

e57c3ce93756460287465fc05b61af4cf5b6d820f344ed15b01dba0322a63bfaee6b72125367332d95cec77bb570d9b18ca4d70b5146e8db492b4a29d7416a5f

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3588-138-0x0000000000400000-0x000000000045A000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3304 set thread context of 3588	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe
3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe
3588	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe
3588	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe
Token: SeDebugPrivilege	3588	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 2308	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe	87
PID 3304 wrote to memory of 2308	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe	87
PID 3304 wrote to memory of 2308	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe	87
PID 3304 wrote to memory of 3588	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe	89
PID 3304 wrote to memory of 3588	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe	89
PID 3304 wrote to memory of 3588	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe	89
PID 3304 wrote to memory of 3588	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe	89
PID 3304 wrote to memory of 3588	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe	89
PID 3304 wrote to memory of 3588	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe	89
PID 3304 wrote to memory of 3588	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe	89
PID 3304 wrote to memory of 3588	3304	fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe	89

C:\Users\Admin\AppData\Local\Temp\fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe
"C:\Users\Admin\AppData\Local\Temp\fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lAItAq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47E1.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe
  "C:\Users\Admin\AppData\Local\Temp\fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fa6b635dbeb54520183858face68bfb2056b9d6ca7f0f971b352f1ad90d80a48.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47E1.tmp

Filesize
1KB

MD5
1455d13159a157d8e6636790eee89dd8

SHA1
553421fb2142a70929d7ca0f1e72608eddfe7394

SHA256
6753f27a4e88b4fdf5570b075737a1c97f2b573d31dd3537ea775a686d52b65d

SHA512
ffdc1dc277ac4ade574bf63cb2e385c8da5f7e035c09edd374f62589de759226881fd867e321b35f53e110bc4f1cde57d64ceef8907f0d62de00c3873c93e1d3

Download Submit
memory/3304-130-0x00000000004E0000-0x000000000056C000-memory.dmp

Filesize
560KB

Download
memory/3304-131-0x00000000054B0000-0x0000000005A54000-memory.dmp

Filesize
5.6MB

Download
memory/3304-132-0x0000000004FA0000-0x0000000005032000-memory.dmp

Filesize
584KB

Download
memory/3304-133-0x0000000004F20000-0x0000000004F2A000-memory.dmp

Filesize
40KB

Download
memory/3304-134-0x000000000AFC0000-0x000000000B05C000-memory.dmp

Filesize
624KB

Download
memory/3588-138-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3588-140-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads