agenttesla | 325216a364f592e7152bacd50dda7b084120186c71ad5a4c3af8d2583b752cde

Analysis

max time kernel
141s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10/03/2023, 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe
Size

320KB
MD5

c50d0e6336b2a71bebcf898513c337a7
SHA1

209a96f4252de81b40ada8137373f96e51acd897
SHA256

4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c
SHA512

c13d1582f7773191a1ce599da7ca453f2ef7d4cb651edbbd9bb69b102165b91bbabf92cb57e01fbbca33a8a25e821d80938e3debdff29b526781b587dd2628b2
SSDEEP

6144:vYa6CRBAqdiNnbGL0cIizDZEzAapf3iNQUoNEr6Z2HW9HcWZR:vYkRyrnbe0czvWzAi3iaN1f8OR

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 3 IoCs

resource	yara_rule
behavioral1/memory/1528-69-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral1/memory/1528-72-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral1/memory/1528-74-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

pid	Process
2000	dvqwjgk.exe
1528	dvqwjgk.exe

Loads dropped DLL 5 IoCs

pid	Process
2044	4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe
2044	4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe
2000	dvqwjgk.exe
268	dw20.exe
268	dw20.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 1528	2000	dvqwjgk.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1528	dvqwjgk.exe
1528	dvqwjgk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
268	dw20.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2000	dvqwjgk.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	dvqwjgk.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2000	2044	4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe	28
PID 2044 wrote to memory of 2000	2044	4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe	28
PID 2044 wrote to memory of 2000	2044	4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe	28
PID 2044 wrote to memory of 2000	2044	4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe	28
PID 2000 wrote to memory of 1528	2000	dvqwjgk.exe	29
PID 2000 wrote to memory of 1528	2000	dvqwjgk.exe	29
PID 2000 wrote to memory of 1528	2000	dvqwjgk.exe	29
PID 2000 wrote to memory of 1528	2000	dvqwjgk.exe	29
PID 2000 wrote to memory of 1528	2000	dvqwjgk.exe	29
PID 1528 wrote to memory of 268	1528	dvqwjgk.exe	30
PID 1528 wrote to memory of 268	1528	dvqwjgk.exe	30
PID 1528 wrote to memory of 268	1528	dvqwjgk.exe	30
PID 1528 wrote to memory of 268	1528	dvqwjgk.exe	30

C:\Users\Admin\AppData\Local\Temp\4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe
"C:\Users\Admin\AppData\Local\Temp\4bbd82474dc1c45d8db7eb45ead0722aed3a8f2c3f989b4151e62e64af1c3c3c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe
  "C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe" C:\Users\Admin\AppData\Local\Temp\vclabid.jr
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe
    "C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 520
      4⤵
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe

Filesize
53KB

MD5
f0b303f0c99dddfef157a249cd995402

SHA1
a25ffaeafba7d7a05700cf758c53bb8e22cb1807

SHA256
e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc

SHA512
c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe

Filesize
53KB

MD5
f0b303f0c99dddfef157a249cd995402

SHA1
a25ffaeafba7d7a05700cf758c53bb8e22cb1807

SHA256
e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc

SHA512
c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe

Filesize
53KB

MD5
f0b303f0c99dddfef157a249cd995402

SHA1
a25ffaeafba7d7a05700cf758c53bb8e22cb1807

SHA256
e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc

SHA512
c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvqwjgk.exe

Filesize
53KB

MD5
f0b303f0c99dddfef157a249cd995402

SHA1
a25ffaeafba7d7a05700cf758c53bb8e22cb1807

SHA256
e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc

SHA512
c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\svkzotimyc.xbt

Filesize
314KB

MD5
21155fd7bc83a871bca64e88240bb56d

SHA1
30a25c370289d88be23b18a0c923fef1affac3a6

SHA256
c12bea3eedbee6372bbce59d77cac83eed4b73e4fbc226c76eddbdc9c960e624

SHA512
6f0c1baf8572be8206ed9d8d3d5fdef8730291551101a35bacf50ca9ad31271bfd1ea8d9b7c5bde8508e150eb8c14adfb57c876afb50afb3f79115bb208f44ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vclabid.jr

Filesize
5KB

MD5
78f090f09575e547327e1808ffe67ce9

SHA1
6bee03daf2d617e4bc1a4aa994e4cf65ce41975d

SHA256
14b0105745596469c85e789c350b172e401342ff21079d155ab38e804a736a8e

SHA512
a76d139ce3ce984e0f2249570cedc0a7173e4080563e8d99f9b1d01150c4c2400546bd17cea145776f85a0312bc473efd5b7c2a754802c8b301c78a59b9b2022

Download Submit
\Users\Admin\AppData\Local\Temp\dvqwjgk.exe

Filesize
53KB

MD5
f0b303f0c99dddfef157a249cd995402

SHA1
a25ffaeafba7d7a05700cf758c53bb8e22cb1807

SHA256
e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc

SHA512
c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec

Download Submit
\Users\Admin\AppData\Local\Temp\dvqwjgk.exe

Filesize
53KB

MD5
f0b303f0c99dddfef157a249cd995402

SHA1
a25ffaeafba7d7a05700cf758c53bb8e22cb1807

SHA256
e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc

SHA512
c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec

Download Submit
\Users\Admin\AppData\Local\Temp\dvqwjgk.exe

Filesize
53KB

MD5
f0b303f0c99dddfef157a249cd995402

SHA1
a25ffaeafba7d7a05700cf758c53bb8e22cb1807

SHA256
e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc

SHA512
c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec

Download Submit
\Users\Admin\AppData\Local\Temp\dvqwjgk.exe

Filesize
53KB

MD5
f0b303f0c99dddfef157a249cd995402

SHA1
a25ffaeafba7d7a05700cf758c53bb8e22cb1807

SHA256
e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc

SHA512
c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec

Download Submit
\Users\Admin\AppData\Local\Temp\dvqwjgk.exe

Filesize
53KB

MD5
f0b303f0c99dddfef157a249cd995402

SHA1
a25ffaeafba7d7a05700cf758c53bb8e22cb1807

SHA256
e27f2341bf0ce00613f2eba5325f3385fd2687a06c81533287191a8f82538fcc

SHA512
c7bc3f629e5d99d23f90ca91d91d5c97a9ad71859ad7099ce5f4948d99deb535e5502da9dc3124cc0e42323c2f9f317ad6f27ca74e700c2ac593e12dd34ce4ec

Download Submit
memory/268-79-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1528-69-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1528-76-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/1528-75-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download
memory/1528-74-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1528-72-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1528-80-0x0000000002000000-0x0000000002040000-memory.dmp

Filesize
256KB

Download