agenttesla | 7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5

General

Target

7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe
Size

407KB
MD5

ac1bf5c38abb09be737d7b48ebc5d553
SHA1

6bc0a3dde35d3be636cb2f9d783318956e0fcc4a
SHA256

7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5
SHA512

5ef7998b0545b14e8a291339c312c756273896ee11d736252abefb2103facad2fcc53d98a8769645119e9d875a422a1df5ca54236a9e92c0a2fce6a757da31d9
SSDEEP

12288:xE2N3AHQg6mTb5wm7kRSu3kI6SAx9Uj+antxFQ:xtNQHQgxbkRL7w1Kt3Q

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

scgdttsl.exescgdttsl.exe

pid process

3044 scgdttsl.exe
3068 scgdttsl.exe
Loads dropped DLL 2 IoCs

Processes:

7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exescgdttsl.exe

pid process

2928 7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe
3044 scgdttsl.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3044	scgdttsl.exe
3068	scgdttsl.exe

pid	process
2928	7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe
3044	scgdttsl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

scgdttsl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LHdEfz = "C:\\Users\\Admin\\AppData\\Roaming\\LHdEfz\\LHdEfz.exe"	scgdttsl.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

scgdttsl.exe

description pid process target process

PID 3044 set thread context of 3068 3044 scgdttsl.exe scgdttsl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

scgdttsl.exe

pid process

3068 scgdttsl.exe
3068 scgdttsl.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

scgdttsl.exe

pid process

3044 scgdttsl.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

scgdttsl.exe

description pid process

Token: SeDebugPrivilege 3068 scgdttsl.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

scgdttsl.exe

pid process

3068 scgdttsl.exe

flow	ioc
4	api.ipify.org

description	pid	process	target process
PID 3044 set thread context of 3068	3044	scgdttsl.exe	scgdttsl.exe

pid	process
3068	scgdttsl.exe
3068	scgdttsl.exe

pid	process
3044	scgdttsl.exe

description	pid	process
Token: SeDebugPrivilege	3068	scgdttsl.exe

pid	process
3068	scgdttsl.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exescgdttsl.exe

description	pid	process	target process
PID 2928 wrote to memory of 3044	2928	7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe	scgdttsl.exe
PID 2928 wrote to memory of 3044	2928	7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe	scgdttsl.exe
PID 2928 wrote to memory of 3044	2928	7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe	scgdttsl.exe
PID 2928 wrote to memory of 3044	2928	7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe	scgdttsl.exe
PID 3044 wrote to memory of 3068	3044	scgdttsl.exe	scgdttsl.exe
PID 3044 wrote to memory of 3068	3044	scgdttsl.exe	scgdttsl.exe
PID 3044 wrote to memory of 3068	3044	scgdttsl.exe	scgdttsl.exe
PID 3044 wrote to memory of 3068	3044	scgdttsl.exe	scgdttsl.exe
PID 3044 wrote to memory of 3068	3044	scgdttsl.exe	scgdttsl.exe

C:\Users\Admin\AppData\Local\Temp\7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe
"C:\Users\Admin\AppData\Local\Temp\7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928

C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe
"C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe
"C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe

Filesize
173KB

MD5
6f8cb7bcb4ea8b900e00b3557231aed6

SHA1
ec424177535362f8e3d699b0875740a9272cd844

SHA256
49917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd

SHA512
63c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe

Filesize
173KB

MD5
6f8cb7bcb4ea8b900e00b3557231aed6

SHA1
ec424177535362f8e3d699b0875740a9272cd844

SHA256
49917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd

SHA512
63c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe

Filesize
173KB

MD5
6f8cb7bcb4ea8b900e00b3557231aed6

SHA1
ec424177535362f8e3d699b0875740a9272cd844

SHA256
49917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd

SHA512
63c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zetnk.q

Filesize
334KB

MD5
7d3d03e5e9ce95b6a39a83fb2347e250

SHA1
652f4c084a92cfca3292ada7653ea20283f849bd

SHA256
420e91d0e3befadbb1e09faea8dab8e6502d3d3172b074512b61b64d812478cd

SHA512
5ecd7043f16bd80b3933403e1d473032054e38c767efa09b47c822be4c90cd432d63036b78335f1c67b7d8243c0ac064ab0cc0bdaa70067e140ec62a0b602df9

Download Submit
\Users\Admin\AppData\Local\Temp\scgdttsl.exe

Filesize
173KB

MD5
6f8cb7bcb4ea8b900e00b3557231aed6

SHA1
ec424177535362f8e3d699b0875740a9272cd844

SHA256
49917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd

SHA512
63c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d

Download Submit
\Users\Admin\AppData\Local\Temp\scgdttsl.exe

Filesize
173KB

MD5
6f8cb7bcb4ea8b900e00b3557231aed6

SHA1
ec424177535362f8e3d699b0875740a9272cd844

SHA256
49917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd

SHA512
63c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d

Download Submit
memory/3044-13-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3044-6-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3068-18-0x0000000004790000-0x00000000047D0000-memory.dmp

Filesize
256KB

Download
memory/3068-17-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/3068-16-0x0000000001CF0000-0x0000000001D32000-memory.dmp

Filesize
264KB

Download
memory/3068-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3068-10-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3068-19-0x0000000004790000-0x00000000047D0000-memory.dmp

Filesize
256KB

Download
memory/3068-15-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/3068-21-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads