agenttesla | a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f

General

Target

a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe
Size

587KB
MD5

1ec275d581b7efc115153bb6a8915ba5
SHA1

869acb34500897d1d9ebe06bf3f52eeaeb8c1eaa
SHA256

a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f
SHA512

001f23bea4fd2ae52fd88d01f1d9bf9539954ac3e02ae7b7dd0dcc9f57d1c9ac89f242a0128d2126313bd3099c40eb622516081298d98b2d05abdb805785d1c5
SSDEEP

6144:O8LxB3Qx8ayrbordY+VxuOveqXd0N+UMq1zSvEFWcbqX7TZPTvV3AWgbyG1aSmWD:GxPgUrdJE0Wx+YWc871PTWbHfmWPYMf

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
1484	aodoeww.exe
2864	aodoeww.exe

Loads dropped DLL 3 IoCs

pid	Process
2796	a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe
2796	a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe
1484	aodoeww.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\SzvWIzD = "C:\\Users\\Admin\\AppData\\Roaming\\SzvWIzD\\SzvWIzD.exe"	aodoeww.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1484 set thread context of 2864	1484	aodoeww.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2864	aodoeww.exe
2864	aodoeww.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1484	aodoeww.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	aodoeww.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 1484	2796	a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe	28
PID 2796 wrote to memory of 1484	2796	a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe	28
PID 2796 wrote to memory of 1484	2796	a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe	28
PID 2796 wrote to memory of 1484	2796	a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe	28
PID 1484 wrote to memory of 2864	1484	aodoeww.exe	30
PID 1484 wrote to memory of 2864	1484	aodoeww.exe	30
PID 1484 wrote to memory of 2864	1484	aodoeww.exe	30
PID 1484 wrote to memory of 2864	1484	aodoeww.exe	30
PID 1484 wrote to memory of 2864	1484	aodoeww.exe	30

C:\Users\Admin\AppData\Local\Temp\a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe
"C:\Users\Admin\AppData\Local\Temp\a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\aodoeww.exe
  "C:\Users\Admin\AppData\Local\Temp\aodoeww.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\aodoeww.exe
    "C:\Users\Admin\AppData\Local\Temp\aodoeww.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aodoeww.exe

Filesize
165KB

MD5
61489aebd8bfdeec13ef3861873f9e45

SHA1
7cbb9b36b807b4b79b7f17d7494f6de0ff38edfb

SHA256
7f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8

SHA512
6897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aodoeww.exe

Filesize
165KB

MD5
61489aebd8bfdeec13ef3861873f9e45

SHA1
7cbb9b36b807b4b79b7f17d7494f6de0ff38edfb

SHA256
7f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8

SHA512
6897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aodoeww.exe

Filesize
165KB

MD5
61489aebd8bfdeec13ef3861873f9e45

SHA1
7cbb9b36b807b4b79b7f17d7494f6de0ff38edfb

SHA256
7f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8

SHA512
6897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aodoeww.exe

Filesize
165KB

MD5
61489aebd8bfdeec13ef3861873f9e45

SHA1
7cbb9b36b807b4b79b7f17d7494f6de0ff38edfb

SHA256
7f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8

SHA512
6897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kjwkjigjuz.jpc

Filesize
333KB

MD5
96b2d3902a0e83e8566903c45773664b

SHA1
58fa09c32f35cfd8b31d0a53230fdfa184d9eede

SHA256
bf6daa91ecdf8ec351ab89424d323865fd8f5b2124a9f2b9954ffc4539a44033

SHA512
2c9ec68e765a1c677b7e4493dbd9105f0edf93052b2c4612ff64c0954fc455123e6871a712ffec04f1a3d7c1be9f6406eb9046056fbbf1a50ca0324cc8679f73

Download Submit
\Users\Admin\AppData\Local\Temp\aodoeww.exe

Filesize
165KB

MD5
61489aebd8bfdeec13ef3861873f9e45

SHA1
7cbb9b36b807b4b79b7f17d7494f6de0ff38edfb

SHA256
7f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8

SHA512
6897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5

Download Submit
\Users\Admin\AppData\Local\Temp\aodoeww.exe

Filesize
165KB

MD5
61489aebd8bfdeec13ef3861873f9e45

SHA1
7cbb9b36b807b4b79b7f17d7494f6de0ff38edfb

SHA256
7f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8

SHA512
6897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5

Download Submit
\Users\Admin\AppData\Local\Temp\aodoeww.exe

Filesize
165KB

MD5
61489aebd8bfdeec13ef3861873f9e45

SHA1
7cbb9b36b807b4b79b7f17d7494f6de0ff38edfb

SHA256
7f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8

SHA512
6897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5

Download Submit
memory/1484-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1484-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2864-13-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2864-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2864-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2864-19-0x0000000001D70000-0x0000000001DB2000-memory.dmp

Filesize
264KB

Download
memory/2864-20-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2864-21-0x0000000001DC0000-0x0000000001E00000-memory.dmp

Filesize
256KB

Download
memory/2864-22-0x0000000001DC0000-0x0000000001E00000-memory.dmp

Filesize
256KB

Download
memory/2864-23-0x0000000001DC0000-0x0000000001E00000-memory.dmp

Filesize
256KB

Download
memory/2864-25-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2864-27-0x0000000001DC0000-0x0000000001E00000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads