agenttesla | b894cc268212c515d0ee2d531128f79ef1b3131b6ea41a297d1b54f23dcdecca

General

Target

SecuriteInfo.com.FileRepMalware.29201.26455.exe
Size

406KB
MD5

ba8e505b076679d9c2eff327cc6bd353
SHA1

e46554f336d8c8f3cd720298ceaa46d528275669
SHA256

b894cc268212c515d0ee2d531128f79ef1b3131b6ea41a297d1b54f23dcdecca
SHA512

04f0368f58dc5411323d1f4a336d3b4a5ddb601491ecceac557ec143244d43fc20bc5eccdc1dd02b05e625d250bb38f2e881533c5c219959067473546b4024d8
SSDEEP

12288:BRuXX7/8PoKqO7tV3Ebtp+EPbEoBW+i0b:BgX7UPr7n3EZTE6

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

hzwno.exehzwno.exe

pid process

2596 hzwno.exe
2760 hzwno.exe
Loads dropped DLL 3 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.29201.26455.exehzwno.exe

pid process

1264 SecuriteInfo.com.FileRepMalware.29201.26455.exe
1264 SecuriteInfo.com.FileRepMalware.29201.26455.exe
2596 hzwno.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2596	hzwno.exe
2760	hzwno.exe

pid	process
1264	SecuriteInfo.com.FileRepMalware.29201.26455.exe
1264	SecuriteInfo.com.FileRepMalware.29201.26455.exe
2596	hzwno.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hzwno.exehzwno.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\hqmvrbk = "C:\\Users\\Admin\\AppData\\Roaming\\gclupy\\ienjscx.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hzwno.exe\" "	hzwno.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\LHdEfz = "C:\\Users\\Admin\\AppData\\Roaming\\LHdEfz\\LHdEfz.exe"	hzwno.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

hzwno.exe

description pid process target process

PID 2596 set thread context of 2760 2596 hzwno.exe hzwno.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

hzwno.exe

pid process

2760 hzwno.exe
2760 hzwno.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

hzwno.exe

pid process

2596 hzwno.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hzwno.exe

description pid process

Token: SeDebugPrivilege 2760 hzwno.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

hzwno.exe

pid process

2760 hzwno.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 2596 set thread context of 2760	2596	hzwno.exe	hzwno.exe

pid	process
2760	hzwno.exe
2760	hzwno.exe

pid	process
2596	hzwno.exe

description	pid	process
Token: SeDebugPrivilege	2760	hzwno.exe

pid	process
2760	hzwno.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

SecuriteInfo.com.FileRepMalware.29201.26455.exehzwno.exe

description	pid	process	target process
PID 1264 wrote to memory of 2596	1264	SecuriteInfo.com.FileRepMalware.29201.26455.exe	hzwno.exe
PID 1264 wrote to memory of 2596	1264	SecuriteInfo.com.FileRepMalware.29201.26455.exe	hzwno.exe
PID 1264 wrote to memory of 2596	1264	SecuriteInfo.com.FileRepMalware.29201.26455.exe	hzwno.exe
PID 1264 wrote to memory of 2596	1264	SecuriteInfo.com.FileRepMalware.29201.26455.exe	hzwno.exe
PID 2596 wrote to memory of 2760	2596	hzwno.exe	hzwno.exe
PID 2596 wrote to memory of 2760	2596	hzwno.exe	hzwno.exe
PID 2596 wrote to memory of 2760	2596	hzwno.exe	hzwno.exe
PID 2596 wrote to memory of 2760	2596	hzwno.exe	hzwno.exe
PID 2596 wrote to memory of 2760	2596	hzwno.exe	hzwno.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.29201.26455.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.29201.26455.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\hzwno.exe
"C:\Users\Admin\AppData\Local\Temp\hzwno.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\hzwno.exe
"C:\Users\Admin\AppData\Local\Temp\hzwno.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hzwno.exe

Filesize
167KB

MD5
4b85a8e213135cf1c7f0c0a5e5265d51

SHA1
3e4db8171578ebbe4a9c8350e20e7136a0cee46d

SHA256
c3f9831ef39bbda2e01282a555b500ad8088abb358a633e2a2513c4f18768554

SHA512
b6d3a8334babda44c7aee88b866434e07914e134ca6a70793966d8ebf4a1c8463884ffe4afd171dbd6634888bd716126c9d2864eb98dd8ad249f34ec6d2b3cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzwno.exe

Filesize
167KB

MD5
4b85a8e213135cf1c7f0c0a5e5265d51

SHA1
3e4db8171578ebbe4a9c8350e20e7136a0cee46d

SHA256
c3f9831ef39bbda2e01282a555b500ad8088abb358a633e2a2513c4f18768554

SHA512
b6d3a8334babda44c7aee88b866434e07914e134ca6a70793966d8ebf4a1c8463884ffe4afd171dbd6634888bd716126c9d2864eb98dd8ad249f34ec6d2b3cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzwno.exe

Filesize
167KB

MD5
4b85a8e213135cf1c7f0c0a5e5265d51

SHA1
3e4db8171578ebbe4a9c8350e20e7136a0cee46d

SHA256
c3f9831ef39bbda2e01282a555b500ad8088abb358a633e2a2513c4f18768554

SHA512
b6d3a8334babda44c7aee88b866434e07914e134ca6a70793966d8ebf4a1c8463884ffe4afd171dbd6634888bd716126c9d2864eb98dd8ad249f34ec6d2b3cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzwno.exe

Filesize
167KB

MD5
4b85a8e213135cf1c7f0c0a5e5265d51

SHA1
3e4db8171578ebbe4a9c8350e20e7136a0cee46d

SHA256
c3f9831ef39bbda2e01282a555b500ad8088abb358a633e2a2513c4f18768554

SHA512
b6d3a8334babda44c7aee88b866434e07914e134ca6a70793966d8ebf4a1c8463884ffe4afd171dbd6634888bd716126c9d2864eb98dd8ad249f34ec6d2b3cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxwdyqzxsb.tox

Filesize
334KB

MD5
21d440c7609b7b15ef571c81da11e000

SHA1
7dbb91fad91b178b8bbcb58745add49b332f6464

SHA256
766ed137fedabe6d85f356040fce66454282c6c9f0e958fe9fdaefb3285634fe

SHA512
c302bfd4b05d5652b77e239405d25c9987565e3020a502e75bd4c85c2ad4bd0e251ec8f1f9996147fe0b0c823946e6f87c9c6a87f0ce3fa616184d601e79fead

Download Submit
\Users\Admin\AppData\Local\Temp\hzwno.exe

Filesize
167KB

MD5
4b85a8e213135cf1c7f0c0a5e5265d51

SHA1
3e4db8171578ebbe4a9c8350e20e7136a0cee46d

SHA256
c3f9831ef39bbda2e01282a555b500ad8088abb358a633e2a2513c4f18768554

SHA512
b6d3a8334babda44c7aee88b866434e07914e134ca6a70793966d8ebf4a1c8463884ffe4afd171dbd6634888bd716126c9d2864eb98dd8ad249f34ec6d2b3cd2

Download Submit
\Users\Admin\AppData\Local\Temp\hzwno.exe

Filesize
167KB

MD5
4b85a8e213135cf1c7f0c0a5e5265d51

SHA1
3e4db8171578ebbe4a9c8350e20e7136a0cee46d

SHA256
c3f9831ef39bbda2e01282a555b500ad8088abb358a633e2a2513c4f18768554

SHA512
b6d3a8334babda44c7aee88b866434e07914e134ca6a70793966d8ebf4a1c8463884ffe4afd171dbd6634888bd716126c9d2864eb98dd8ad249f34ec6d2b3cd2

Download Submit
\Users\Admin\AppData\Local\Temp\hzwno.exe

Filesize
167KB

MD5
4b85a8e213135cf1c7f0c0a5e5265d51

SHA1
3e4db8171578ebbe4a9c8350e20e7136a0cee46d

SHA256
c3f9831ef39bbda2e01282a555b500ad8088abb358a633e2a2513c4f18768554

SHA512
b6d3a8334babda44c7aee88b866434e07914e134ca6a70793966d8ebf4a1c8463884ffe4afd171dbd6634888bd716126c9d2864eb98dd8ad249f34ec6d2b3cd2

Download Submit
memory/2596-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2596-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2760-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-18-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-19-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-20-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2760-21-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2760-22-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download
memory/2760-23-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download
memory/2760-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2760-25-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2760-26-0x00000000047D0000-0x0000000004810000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads