agenttesla | 82406d68e65149769c2346162bcd358e89e7fcb54ae346f63f2eaa852426d5ed

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
11-12-2023 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd989914536fbbbee6af24538369a07b.exe
Size

1.8MB
MD5

fd989914536fbbbee6af24538369a07b
SHA1

b418015fc889b28dbf21a5d9ac8e04020766e947
SHA256

82406d68e65149769c2346162bcd358e89e7fcb54ae346f63f2eaa852426d5ed
SHA512

873918513634b19554cbed589b12fb64e6ddcd36efac3e3b3e30fccb384050951aec28c421caa6b90296be284c69de0034e74b43bf420222746bf04c40171bc9
SSDEEP

24576:0PSZ6uf+02A6fC9LtSRwY83GGB9Ve9weCaqVYzoX9oBYbFpfuLbzEy0QMpTpq:hZUbfC9psGBDe9D+VLtoBYzWPZzoTpq

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/2076-7-0x000000001BAD0000-0x000000001BCE4000-memory.dmp	family_agenttesla

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	fd989914536fbbbee6af24538369a07b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	fd989914536fbbbee6af24538369a07b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	fd989914536fbbbee6af24538369a07b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2076	fd989914536fbbbee6af24538369a07b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	fd989914536fbbbee6af24538369a07b.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1004	2076	fd989914536fbbbee6af24538369a07b.exe	28
PID 2076 wrote to memory of 1004	2076	fd989914536fbbbee6af24538369a07b.exe	28
PID 2076 wrote to memory of 1004	2076	fd989914536fbbbee6af24538369a07b.exe	28

C:\Users\Admin\AppData\Local\Temp\fd989914536fbbbee6af24538369a07b.exe
"C:\Users\Admin\AppData\Local\Temp\fd989914536fbbbee6af24538369a07b.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2076 -s 652
  2⤵
  PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2076-0-0x0000000000BE0000-0x0000000000DAA000-memory.dmp

Filesize
1.8MB

Download
memory/2076-1-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-2-0x000000001B300000-0x000000001B380000-memory.dmp

Filesize
512KB

Download
memory/2076-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2076-6-0x0000000000290000-0x00000000002AA000-memory.dmp

Filesize
104KB

Download
memory/2076-5-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2076-4-0x000000001B1B0000-0x000000001B2EC000-memory.dmp

Filesize
1.2MB

Download
memory/2076-7-0x000000001BAD0000-0x000000001BCE4000-memory.dmp

Filesize
2.1MB

Download
memory/2076-8-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

Filesize
9.9MB

Download
memory/2076-9-0x000000001B300000-0x000000001B380000-memory.dmp

Filesize
512KB

Download