agenttesla | 33579d62e29087f5f0948d5c209858ba6f811f809e39424d6776d6a2b8131e2d

General

Target

33579d62e29087f5f0948d5c209858ba6f811f809e39424d6776d6a2b8131e2d.exe
Size

154.0MB
MD5

652219e3762bac4398d5d0d72d53dc9b
SHA1

c6e5a82be097208b154b2078b5b1fb1028c75ec2
SHA256

33579d62e29087f5f0948d5c209858ba6f811f809e39424d6776d6a2b8131e2d
SHA512

748d104e30451122d1284445be19867b55656dc05bf666ec82e8d88f03c803690350cf5f696e0762822393e871d17dac5e4ad86e426ed36038af8964b7a62e8f
SSDEEP

1572864:UafzGToO0fw1GZrhqWKnUlqdoT43pv8Mx58REy0DZlecD:HfzdhbIoTY5jZAq

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/544-64-0x0000000007CD0000-0x00000000081A0000-memory.dmp	family_agenttesla
behavioral2/memory/544-67-0x0000000007CD0000-0x00000000081A0000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

33579d62e29087f5f0948d5c209858ba6f811f809e39424d6776d6a2b8131e2d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation	33579d62e29087f5f0948d5c209858ba6f811f809e39424d6776d6a2b8131e2d.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

33579d62e29087f5f0948d5c209858ba6f811f809e39424d6776d6a2b8131e2d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	33579d62e29087f5f0948d5c209858ba6f811f809e39424d6776d6a2b8131e2d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	33579d62e29087f5f0948d5c209858ba6f811f809e39424d6776d6a2b8131e2d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	33579d62e29087f5f0948d5c209858ba6f811f809e39424d6776d6a2b8131e2d.exe

C:\Users\Admin\AppData\Local\Temp\33579d62e29087f5f0948d5c209858ba6f811f809e39424d6776d6a2b8131e2d.exe
"C:\Users\Admin\AppData\Local\Temp\33579d62e29087f5f0948d5c209858ba6f811f809e39424d6776d6a2b8131e2d.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/544-0-0x0000000006DB0000-0x0000000007739000-memory.dmp

Filesize
9.5MB

Download
memory/544-3-0x0000000006DB0000-0x0000000007739000-memory.dmp

Filesize
9.5MB

Download
memory/544-5-0x0000000000D20000-0x0000000001548000-memory.dmp

Filesize
8.2MB

Download
memory/544-4-0x00000000088C0000-0x0000000009A2F000-memory.dmp

Filesize
17.4MB

Download
memory/544-8-0x00000000088C0000-0x0000000009A2F000-memory.dmp

Filesize
17.4MB

Download
memory/544-9-0x0000000009A30000-0x000000000A618000-memory.dmp

Filesize
11.9MB

Download
memory/544-12-0x0000000009A30000-0x000000000A618000-memory.dmp

Filesize
11.9MB

Download
memory/544-13-0x00000000066A0000-0x00000000066B1000-memory.dmp

Filesize
68KB

Download
memory/544-20-0x0000000006820000-0x00000000068D4000-memory.dmp

Filesize
720KB

Download
memory/544-21-0x00000000066E0000-0x00000000066EC000-memory.dmp

Filesize
48KB

Download
memory/544-24-0x00000000066E0000-0x00000000066EC000-memory.dmp

Filesize
48KB

Download
memory/544-25-0x00000000066C0000-0x00000000066DF000-memory.dmp

Filesize
124KB

Download
memory/544-44-0x00000000068E0000-0x000000000691A000-memory.dmp

Filesize
232KB

Download
memory/544-55-0x00000000067A0000-0x00000000067A6000-memory.dmp

Filesize
24KB

Download
memory/544-59-0x0000000006C20000-0x0000000006C29000-memory.dmp

Filesize
36KB

Download
memory/544-63-0x0000000007740000-0x00000000077E5000-memory.dmp

Filesize
660KB

Download
memory/544-60-0x0000000007740000-0x00000000077E5000-memory.dmp

Filesize
660KB

Download
memory/544-56-0x0000000006C20000-0x0000000006C29000-memory.dmp

Filesize
36KB

Download
memory/544-52-0x00000000067A0000-0x00000000067A6000-memory.dmp

Filesize
24KB

Download
memory/544-51-0x0000000006A10000-0x0000000006AF9000-memory.dmp

Filesize
932KB

Download
memory/544-64-0x0000000007CD0000-0x00000000081A0000-memory.dmp

Filesize
4.8MB

Download
memory/544-48-0x0000000006A10000-0x0000000006AF9000-memory.dmp

Filesize
932KB

Download
memory/544-47-0x00000000068E0000-0x000000000691A000-memory.dmp

Filesize
232KB

Download
memory/544-43-0x00000000067B0000-0x00000000067CD000-memory.dmp

Filesize
116KB

Download
memory/544-40-0x00000000067B0000-0x00000000067CD000-memory.dmp

Filesize
116KB

Download
memory/544-36-0x0000000006750000-0x0000000006762000-memory.dmp

Filesize
72KB

Download
memory/544-33-0x0000000006750000-0x0000000006762000-memory.dmp

Filesize
72KB

Download
memory/544-32-0x0000000006710000-0x0000000006725000-memory.dmp

Filesize
84KB

Download
memory/544-29-0x0000000006710000-0x0000000006725000-memory.dmp

Filesize
84KB

Download
memory/544-67-0x0000000007CD0000-0x00000000081A0000-memory.dmp

Filesize
4.8MB

Download
memory/544-28-0x00000000066C0000-0x00000000066DF000-memory.dmp

Filesize
124KB

Download
memory/544-17-0x0000000006820000-0x00000000068D4000-memory.dmp

Filesize
720KB

Download
memory/544-16-0x00000000066A0000-0x00000000066B1000-memory.dmp

Filesize
68KB

Download
memory/544-112-0x0000000000D20000-0x0000000001548000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads