agenttesla | 149fee78d8d12af76af26eddc5aafa42b8f2a028f27f55676241110cb8a65ace

General

Target

149fee78d8d12af76af26eddc5aafa42b8f2a028f27f55676241110cb8a65ace.exe
Size

154.0MB
MD5

0e3961b63c79cfd5450af6a072df2cf4
SHA1

e5aa08783dce22db20ea2791c8bd9e555dbe91a1
SHA256

149fee78d8d12af76af26eddc5aafa42b8f2a028f27f55676241110cb8a65ace
SHA512

360e9c51f5825a973a1ceb6b9c0dcdd580715e72dbef6bd3f409d73cf88b776b316ec08023c90470f7e7de5dfa81a3c4bdcddf4b7a221fa722e8ba68828cc0e9
SSDEEP

1572864:UafzGToO0fw1GZrhqWKnUlqdoT43pv8Mx58REy0DZlecF:HfzdhbIoTY5zZAY

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/948-63-0x0000000007FC0000-0x0000000008490000-memory.dmp	family_agenttesla
behavioral2/memory/948-66-0x0000000007FC0000-0x0000000008490000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

149fee78d8d12af76af26eddc5aafa42b8f2a028f27f55676241110cb8a65ace.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Control Panel\International\Geo\Nation	149fee78d8d12af76af26eddc5aafa42b8f2a028f27f55676241110cb8a65ace.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

149fee78d8d12af76af26eddc5aafa42b8f2a028f27f55676241110cb8a65ace.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	149fee78d8d12af76af26eddc5aafa42b8f2a028f27f55676241110cb8a65ace.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	149fee78d8d12af76af26eddc5aafa42b8f2a028f27f55676241110cb8a65ace.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	149fee78d8d12af76af26eddc5aafa42b8f2a028f27f55676241110cb8a65ace.exe

C:\Users\Admin\AppData\Local\Temp\149fee78d8d12af76af26eddc5aafa42b8f2a028f27f55676241110cb8a65ace.exe
"C:\Users\Admin\AppData\Local\Temp\149fee78d8d12af76af26eddc5aafa42b8f2a028f27f55676241110cb8a65ace.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-0-0x00000000070A0000-0x0000000007A29000-memory.dmp

Filesize
9.5MB

Download
memory/948-3-0x00000000070A0000-0x0000000007A29000-memory.dmp

Filesize
9.5MB

Download
memory/948-5-0x0000000000D50000-0x0000000001578000-memory.dmp

Filesize
8.2MB

Download
memory/948-4-0x0000000008BB0000-0x0000000009D1F000-memory.dmp

Filesize
17.4MB

Download
memory/948-8-0x0000000008BB0000-0x0000000009D1F000-memory.dmp

Filesize
17.4MB

Download
memory/948-9-0x0000000009D20000-0x000000000A908000-memory.dmp

Filesize
11.9MB

Download
memory/948-12-0x0000000009D20000-0x000000000A908000-memory.dmp

Filesize
11.9MB

Download
memory/948-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/948-16-0x0000000006AF0000-0x0000000006BA4000-memory.dmp

Filesize
720KB

Download
memory/948-19-0x0000000006AF0000-0x0000000006BA4000-memory.dmp

Filesize
720KB

Download
memory/948-20-0x0000000006770000-0x000000000677C000-memory.dmp

Filesize
48KB

Download
memory/948-23-0x0000000006770000-0x000000000677C000-memory.dmp

Filesize
48KB

Download
memory/948-24-0x0000000006750000-0x000000000676F000-memory.dmp

Filesize
124KB

Download
memory/948-27-0x0000000006750000-0x000000000676F000-memory.dmp

Filesize
124KB

Download
memory/948-28-0x00000000067A0000-0x00000000067B5000-memory.dmp

Filesize
84KB

Download
memory/948-31-0x00000000067A0000-0x00000000067B5000-memory.dmp

Filesize
84KB

Download
memory/948-32-0x0000000006820000-0x0000000006832000-memory.dmp

Filesize
72KB

Download
memory/948-35-0x0000000006820000-0x0000000006832000-memory.dmp

Filesize
72KB

Download
memory/948-39-0x0000000006880000-0x000000000689D000-memory.dmp

Filesize
116KB

Download
memory/948-42-0x0000000006880000-0x000000000689D000-memory.dmp

Filesize
116KB

Download
memory/948-43-0x0000000006970000-0x00000000069AA000-memory.dmp

Filesize
232KB

Download
memory/948-46-0x0000000006970000-0x00000000069AA000-memory.dmp

Filesize
232KB

Download
memory/948-47-0x0000000006D30000-0x0000000006E19000-memory.dmp

Filesize
932KB

Download
memory/948-50-0x0000000006D30000-0x0000000006E19000-memory.dmp

Filesize
932KB

Download
memory/948-51-0x0000000006870000-0x0000000006876000-memory.dmp

Filesize
24KB

Download
memory/948-54-0x0000000006870000-0x0000000006876000-memory.dmp

Filesize
24KB

Download
memory/948-55-0x00000000068E0000-0x00000000068E9000-memory.dmp

Filesize
36KB

Download
memory/948-58-0x00000000068E0000-0x00000000068E9000-memory.dmp

Filesize
36KB

Download
memory/948-59-0x0000000007A30000-0x0000000007AD5000-memory.dmp

Filesize
660KB

Download
memory/948-62-0x0000000007A30000-0x0000000007AD5000-memory.dmp

Filesize
660KB

Download
memory/948-63-0x0000000007FC0000-0x0000000008490000-memory.dmp

Filesize
4.8MB

Download
memory/948-66-0x0000000007FC0000-0x0000000008490000-memory.dmp

Filesize
4.8MB

Download
memory/948-67-0x0000000006A00000-0x0000000006A05000-memory.dmp

Filesize
20KB

Download
memory/948-111-0x0000000000D50000-0x0000000001578000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads