agenttesla | d39a34c9a9bd2eace9b016b4e399d802b029557d44838223498636bc58b1b3d6

General

Target

160-4833933645027883.exe
Size

376KB
MD5

49b30367cc4e82565b22cf3299d673c0
SHA1

fc09b42732f4882bc43845aa16448db259db2820
SHA256

d254745ca2edd62c5e9d3231b3131ae065b2e1759fe9916df96e6c14af59a99e
SHA512

c1c727c156fc8933a71b0aec68bba4c9ec9f7fdfe0b106e0554c0d20f485823c2e4965ec66713e8f0f5557cc4dc8daa6bb5b2715836ac7a62e12269e626b01df
SSDEEP

6144:QBn1tG7w8exMNhxFa0L0CCEPnedspOjYj2d8xKGAZNj1a0vC3aAeFaWPT6QFa7Hm:gQDexMBA0L0AYNd8VALjIMC3aLtT6QFz

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

gleyixnnq.exegleyixnnq.exe

pid process

2160 gleyixnnq.exe
4976 gleyixnnq.exe

pid	process
2160	gleyixnnq.exe
4976	gleyixnnq.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gleyixnnq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mwmwcnfsrpytkd = "C:\\Users\\Admin\\AppData\\Roaming\\hmblfccxys\\luintelyveapby.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\gleyixnnq.exe\" C:\\Users\\Admin\\AppD"	gleyixnnq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

gleyixnnq.exe

description pid process target process

PID 2160 set thread context of 4976 2160 gleyixnnq.exe gleyixnnq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2968 4976 WerFault.exe gleyixnnq.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

gleyixnnq.exe

pid process

4976 gleyixnnq.exe
4976 gleyixnnq.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

gleyixnnq.exe

pid process

2160 gleyixnnq.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

gleyixnnq.exe

description pid process

Token: SeDebugPrivilege 4976 gleyixnnq.exe

description	pid	process	target process
PID 2160 set thread context of 4976	2160	gleyixnnq.exe	gleyixnnq.exe

pid	pid_target	process	target process
2968	4976	WerFault.exe	gleyixnnq.exe

pid	process
4976	gleyixnnq.exe
4976	gleyixnnq.exe

pid	process
2160	gleyixnnq.exe

description	pid	process
Token: SeDebugPrivilege	4976	gleyixnnq.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

160-4833933645027883.exegleyixnnq.exe

description	pid	process	target process
PID 1160 wrote to memory of 2160	1160	160-4833933645027883.exe	gleyixnnq.exe
PID 1160 wrote to memory of 2160	1160	160-4833933645027883.exe	gleyixnnq.exe
PID 1160 wrote to memory of 2160	1160	160-4833933645027883.exe	gleyixnnq.exe
PID 2160 wrote to memory of 4976	2160	gleyixnnq.exe	gleyixnnq.exe
PID 2160 wrote to memory of 4976	2160	gleyixnnq.exe	gleyixnnq.exe
PID 2160 wrote to memory of 4976	2160	gleyixnnq.exe	gleyixnnq.exe
PID 2160 wrote to memory of 4976	2160	gleyixnnq.exe	gleyixnnq.exe

C:\Users\Admin\AppData\Local\Temp\160-4833933645027883.exe
"C:\Users\Admin\AppData\Local\Temp\160-4833933645027883.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\gleyixnnq.exe
"C:\Users\Admin\AppData\Local\Temp\gleyixnnq.exe" C:\Users\Admin\AppData\Local\Temp\kbtqgbfjer.am
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\gleyixnnq.exe
"C:\Users\Admin\AppData\Local\Temp\gleyixnnq.exe" C:\Users\Admin\AppData\Local\Temp\kbtqgbfjer.am
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 968
4⤵
- Program crash
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4976 -ip 4976
1⤵
PID:4300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gleyixnnq.exe

Filesize
332KB

MD5
c8cb40779fd4a777c0f430bbb5d9f4b0

SHA1
2286ae0eafed7de5f975ae66a935f3440901f100

SHA256
2668a97429e0591f37d064dc062ba2ea5c5d625b1c7b3476e9f090bf70d60ac1

SHA512
f6d4afbac99f8b1db0f353b30001320b896f1b1e18985ffb4bb5d72af1a0f02bf7cc9b513b4cbcf4b8cee37b33f9ab2e90c40983c81347ea2f6c7a9691b206cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gleyixnnq.exe

Filesize
332KB

MD5
c8cb40779fd4a777c0f430bbb5d9f4b0

SHA1
2286ae0eafed7de5f975ae66a935f3440901f100

SHA256
2668a97429e0591f37d064dc062ba2ea5c5d625b1c7b3476e9f090bf70d60ac1

SHA512
f6d4afbac99f8b1db0f353b30001320b896f1b1e18985ffb4bb5d72af1a0f02bf7cc9b513b4cbcf4b8cee37b33f9ab2e90c40983c81347ea2f6c7a9691b206cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\gleyixnnq.exe

Filesize
332KB

MD5
c8cb40779fd4a777c0f430bbb5d9f4b0

SHA1
2286ae0eafed7de5f975ae66a935f3440901f100

SHA256
2668a97429e0591f37d064dc062ba2ea5c5d625b1c7b3476e9f090bf70d60ac1

SHA512
f6d4afbac99f8b1db0f353b30001320b896f1b1e18985ffb4bb5d72af1a0f02bf7cc9b513b4cbcf4b8cee37b33f9ab2e90c40983c81347ea2f6c7a9691b206cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdczdi.v

Filesize
274KB

MD5
0af499a479187c93859e4cf526e2de13

SHA1
e65596754b2b536d940a79c453a92294fedd7a8c

SHA256
476b8ec11d719c23e583f2c58d7f726ad1c556ef722970c2735ce0c4576e9ae8

SHA512
b5f6ec8d4e28d25ccc62a5b46600738d104f071794f11257f1bcea3a074383a9380c6e2afa1271c978715dc3088ee52b1dcab55d2c91784e8010fbf94b422f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbtqgbfjer.am

Filesize
7KB

MD5
3036a6ea4950e2c3bacc586c31cfab7b

SHA1
801658a7fcf015db76cf15e6baad0a49ad6c6fcc

SHA256
6b9246fb40c66f4287c4487752e2fc66bd87f8a46be2cfe0decae6eb63d5ab47

SHA512
e131fe868f1a9815b8d8695b255a6c937879a5b4fa7eabd2c408e8fbf813655b036ac572272a37beefff0bb4043c7fbe31a23273a8a02f8b6f4832aa3fea4c81

Download Submit
memory/2160-132-0x0000000000000000-mapping.dmp

Download
memory/4976-137-0x0000000000000000-mapping.dmp

Download
memory/4976-139-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4976-140-0x0000000004900000-0x0000000004EA4000-memory.dmp

Filesize
5.6MB

Download
memory/4976-141-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing