agenttesla | 01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8

General

Target

01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe
Size

403KB
MD5

c081e925d1f5ffa3057680b76e354141
SHA1

fe2a4b9d382fffe418d34d101785ce7a787c6aa0
SHA256

01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8
SHA512

14c554c4c2bccb5ce9299f4cbdf1bd1fd318d4e37ad77cbbf765ae04b539a896c33050c399cc0357ac74e3893a54805d5b2ceffbf5bc32ae4ecdb6b80b6ed6ae
SSDEEP

12288:D94/XlCUvQt1apQ7ERtLJ7N/vMmbCH/a9:DO5vzpvLJ7N3vCHS9

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
2772	iqqsmqf.exe
2804	iqqsmqf.exe

Loads dropped DLL 3 IoCs

pid	Process
2252	01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe
2252	01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe
2772	iqqsmqf.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2772 set thread context of 2804	2772	iqqsmqf.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2804	iqqsmqf.exe
2804	iqqsmqf.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2772	iqqsmqf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	iqqsmqf.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2772	2252	01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe	28
PID 2252 wrote to memory of 2772	2252	01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe	28
PID 2252 wrote to memory of 2772	2252	01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe	28
PID 2252 wrote to memory of 2772	2252	01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe	28
PID 2772 wrote to memory of 2804	2772	iqqsmqf.exe	30
PID 2772 wrote to memory of 2804	2772	iqqsmqf.exe	30
PID 2772 wrote to memory of 2804	2772	iqqsmqf.exe	30
PID 2772 wrote to memory of 2804	2772	iqqsmqf.exe	30
PID 2772 wrote to memory of 2804	2772	iqqsmqf.exe	30

C:\Users\Admin\AppData\Local\Temp\01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe
"C:\Users\Admin\AppData\Local\Temp\01a9921402a5f16927078fb894525739afc8dd141cc78c94b0a6e6c57651cfd8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe
  "C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe
    "C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe

Filesize
165KB

MD5
9bfe9255e6c071d5085cb8fe04470d4d

SHA1
8bbdac8c049f4c0ca91f54b68a845c53cd4c1169

SHA256
842c0f3848a212cdb1ee71bb2a0922fea7f0ee1b9a27abbe7848954685d2fd1e

SHA512
e416fc348e088085b794fc798dcbe60f34537aac957853e39b838dca5693a4ad1046a5e4e56dee5e833cab564f83e4fe90874cb69a43a55995feb4b5862f2b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe

Filesize
165KB

MD5
9bfe9255e6c071d5085cb8fe04470d4d

SHA1
8bbdac8c049f4c0ca91f54b68a845c53cd4c1169

SHA256
842c0f3848a212cdb1ee71bb2a0922fea7f0ee1b9a27abbe7848954685d2fd1e

SHA512
e416fc348e088085b794fc798dcbe60f34537aac957853e39b838dca5693a4ad1046a5e4e56dee5e833cab564f83e4fe90874cb69a43a55995feb4b5862f2b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe

Filesize
165KB

MD5
9bfe9255e6c071d5085cb8fe04470d4d

SHA1
8bbdac8c049f4c0ca91f54b68a845c53cd4c1169

SHA256
842c0f3848a212cdb1ee71bb2a0922fea7f0ee1b9a27abbe7848954685d2fd1e

SHA512
e416fc348e088085b794fc798dcbe60f34537aac957853e39b838dca5693a4ad1046a5e4e56dee5e833cab564f83e4fe90874cb69a43a55995feb4b5862f2b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqqsmqf.exe

Filesize
165KB

MD5
9bfe9255e6c071d5085cb8fe04470d4d

SHA1
8bbdac8c049f4c0ca91f54b68a845c53cd4c1169

SHA256
842c0f3848a212cdb1ee71bb2a0922fea7f0ee1b9a27abbe7848954685d2fd1e

SHA512
e416fc348e088085b794fc798dcbe60f34537aac957853e39b838dca5693a4ad1046a5e4e56dee5e833cab564f83e4fe90874cb69a43a55995feb4b5862f2b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\xtlzwvurz.k

Filesize
333KB

MD5
6b1c08140286d7333b668a0d387dfeb0

SHA1
46f2b3da75af49e6daede57d362102564c6c525d

SHA256
45e0101d414ac7f6378f1f39e63a1907aa1c1c7d8d74dea58ed9b3d54dad9644

SHA512
80d130300da51896d920b9bb17168d3a84d66c517c7523084c1727aed12199602a2d37702aedf2b529af6ccfd4da7d9d03602a988be0d54abf94d58c9f73596a

Download Submit
\Users\Admin\AppData\Local\Temp\iqqsmqf.exe

Filesize
165KB

MD5
9bfe9255e6c071d5085cb8fe04470d4d

SHA1
8bbdac8c049f4c0ca91f54b68a845c53cd4c1169

SHA256
842c0f3848a212cdb1ee71bb2a0922fea7f0ee1b9a27abbe7848954685d2fd1e

SHA512
e416fc348e088085b794fc798dcbe60f34537aac957853e39b838dca5693a4ad1046a5e4e56dee5e833cab564f83e4fe90874cb69a43a55995feb4b5862f2b15

Download Submit
\Users\Admin\AppData\Local\Temp\iqqsmqf.exe

Filesize
165KB

MD5
9bfe9255e6c071d5085cb8fe04470d4d

SHA1
8bbdac8c049f4c0ca91f54b68a845c53cd4c1169

SHA256
842c0f3848a212cdb1ee71bb2a0922fea7f0ee1b9a27abbe7848954685d2fd1e

SHA512
e416fc348e088085b794fc798dcbe60f34537aac957853e39b838dca5693a4ad1046a5e4e56dee5e833cab564f83e4fe90874cb69a43a55995feb4b5862f2b15

Download Submit
\Users\Admin\AppData\Local\Temp\iqqsmqf.exe

Filesize
165KB

MD5
9bfe9255e6c071d5085cb8fe04470d4d

SHA1
8bbdac8c049f4c0ca91f54b68a845c53cd4c1169

SHA256
842c0f3848a212cdb1ee71bb2a0922fea7f0ee1b9a27abbe7848954685d2fd1e

SHA512
e416fc348e088085b794fc798dcbe60f34537aac957853e39b838dca5693a4ad1046a5e4e56dee5e833cab564f83e4fe90874cb69a43a55995feb4b5862f2b15

Download Submit
memory/2772-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2772-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2804-13-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2804-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2804-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2804-19-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-20-0x0000000001CF0000-0x0000000001D32000-memory.dmp

Filesize
264KB

Download
memory/2804-21-0x0000000004560000-0x00000000045A0000-memory.dmp

Filesize
256KB

Download
memory/2804-22-0x0000000004560000-0x00000000045A0000-memory.dmp

Filesize
256KB

Download
memory/2804-23-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2804-24-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing