agenttesla | 2b90a753fd2f28c391d607ace21d9477b1b22b213ffc5f541337aea128c98d8b

General

Target

VC_redist.x64.exe
Size

1.3MB
MD5

1d897c3961ba925a30687d4a496264f4
SHA1

4701e3cfecd6add58fb684f3456c12fbd301ca9a
SHA256

2b90a753fd2f28c391d607ace21d9477b1b22b213ffc5f541337aea128c98d8b
SHA512

7c545b6e466dd7508d02a528aa76c636d54cf9f337c6b150ee8962880a18c9c4bdd6c7f345930fc7448d6ec94735c59bf70b6ba749aa80d4a2d817b0c9c34a04
SSDEEP

24576:UEqFRdngwtlaHxN8KUWVe6tw2wvKhLnGkqjVnlqud+/2P+A6:UEqHdngwwHv5VbtHwlkqXfd+/9A

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1492-8-0x0000000006970000-0x0000000006B66000-memory.dmp	family_agenttesla

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

VC_redist.x64.exeVC_redist.x64.exe

pid process

1492 VC_redist.x64.exe
520 VC_redist.x64.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

VC_redist.x64.exeVC_redist.x64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	VC_redist.x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	VC_redist.x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	VC_redist.x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	VC_redist.x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	VC_redist.x64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

VC_redist.x64.exeVC_redist.x64.exe

pid	process
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

VC_redist.x64.exeVC_redist.x64.exe

description pid process

Token: SeDebugPrivilege 1492 VC_redist.x64.exe
Token: SeDebugPrivilege 520 VC_redist.x64.exe

description	pid	process
Token: SeDebugPrivilege	1492	VC_redist.x64.exe
Token: SeDebugPrivilege	520	VC_redist.x64.exe

C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.exe
"C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.exe
"C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-11-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/520-18-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/520-17-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/520-16-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/520-14-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/520-13-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/1492-8-0x0000000006970000-0x0000000006B66000-memory.dmp

Filesize
2.0MB

Download
memory/1492-7-0x00000000067C0000-0x00000000067FC000-memory.dmp

Filesize
240KB

Download
memory/1492-0-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1492-9-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1492-10-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1492-6-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/1492-12-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1492-5-0x00000000050B0000-0x00000000050C2000-memory.dmp

Filesize
72KB

Download
memory/1492-4-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1492-15-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1492-3-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/1492-2-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download
memory/1492-1-0x0000000000590000-0x00000000006D8000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads