agenttesla | 30f0de577e66c6ad5c76b22f516d026662d2960578e50e299142ab73d95fe5e0

General

Target

30f0de577e66c6ad5c76b22f516d026662d2960578e50e299142ab73d95fe5e0.exe
Size

154.0MB
MD5

5dc1f3df08dc25000b3594ba35efc89d
SHA1

7ca16e7ab49cdb5b320f9843a59b8981c944f632
SHA256

30f0de577e66c6ad5c76b22f516d026662d2960578e50e299142ab73d95fe5e0
SHA512

d10e7286a827f71abea1fc45ccc2d42d3f5f46af4640e637a1c945e554a5c54873bea0ebfe387f35d56d2d28b0a200e7b6e53a6cf0a7a3cd95c125d2999d670a
SSDEEP

1572864:UafzGToO0fw1GZrhqWKnUlqdoT43pv8Mx58zEy0DZlecF:HfzdhbIoTY5dZAQ

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5060-64-0x00000000079A0000-0x0000000007E70000-memory.dmp	family_agenttesla
behavioral2/memory/5060-67-0x00000000079A0000-0x0000000007E70000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

30f0de577e66c6ad5c76b22f516d026662d2960578e50e299142ab73d95fe5e0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation	30f0de577e66c6ad5c76b22f516d026662d2960578e50e299142ab73d95fe5e0.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

30f0de577e66c6ad5c76b22f516d026662d2960578e50e299142ab73d95fe5e0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	30f0de577e66c6ad5c76b22f516d026662d2960578e50e299142ab73d95fe5e0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	30f0de577e66c6ad5c76b22f516d026662d2960578e50e299142ab73d95fe5e0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	30f0de577e66c6ad5c76b22f516d026662d2960578e50e299142ab73d95fe5e0.exe

C:\Users\Admin\AppData\Local\Temp\30f0de577e66c6ad5c76b22f516d026662d2960578e50e299142ab73d95fe5e0.exe
"C:\Users\Admin\AppData\Local\Temp\30f0de577e66c6ad5c76b22f516d026662d2960578e50e299142ab73d95fe5e0.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5060-0-0x0000000006A80000-0x0000000007409000-memory.dmp

Filesize
9.5MB

Download
memory/5060-3-0x0000000006A80000-0x0000000007409000-memory.dmp

Filesize
9.5MB

Download
memory/5060-5-0x0000000000060000-0x0000000000888000-memory.dmp

Filesize
8.2MB

Download
memory/5060-4-0x0000000008590000-0x00000000096FF000-memory.dmp

Filesize
17.4MB

Download
memory/5060-8-0x0000000008590000-0x00000000096FF000-memory.dmp

Filesize
17.4MB

Download
memory/5060-9-0x0000000009700000-0x000000000A2E8000-memory.dmp

Filesize
11.9MB

Download
memory/5060-12-0x0000000009700000-0x000000000A2E8000-memory.dmp

Filesize
11.9MB

Download
memory/5060-25-0x00000000063C0000-0x00000000063DF000-memory.dmp

Filesize
124KB

Download
memory/5060-36-0x0000000006460000-0x0000000006472000-memory.dmp

Filesize
72KB

Download
memory/5060-33-0x0000000006460000-0x0000000006472000-memory.dmp

Filesize
72KB

Download
memory/5060-32-0x0000000006410000-0x0000000006425000-memory.dmp

Filesize
84KB

Download
memory/5060-29-0x0000000006410000-0x0000000006425000-memory.dmp

Filesize
84KB

Download
memory/5060-28-0x00000000063C0000-0x00000000063DF000-memory.dmp

Filesize
124KB

Download
memory/5060-47-0x0000000006600000-0x000000000663A000-memory.dmp

Filesize
232KB

Download
memory/5060-60-0x0000000007410000-0x00000000074B5000-memory.dmp

Filesize
660KB

Download
memory/5060-59-0x0000000006640000-0x0000000006649000-memory.dmp

Filesize
36KB

Download
memory/5060-63-0x0000000007410000-0x00000000074B5000-memory.dmp

Filesize
660KB

Download
memory/5060-64-0x00000000079A0000-0x0000000007E70000-memory.dmp

Filesize
4.8MB

Download
memory/5060-56-0x0000000006640000-0x0000000006649000-memory.dmp

Filesize
36KB

Download
memory/5060-67-0x00000000079A0000-0x0000000007E70000-memory.dmp

Filesize
4.8MB

Download
memory/5060-55-0x00000000064B0000-0x00000000064B6000-memory.dmp

Filesize
24KB

Download
memory/5060-52-0x00000000064B0000-0x00000000064B6000-memory.dmp

Filesize
24KB

Download
memory/5060-51-0x0000000006730000-0x0000000006819000-memory.dmp

Filesize
932KB

Download
memory/5060-48-0x0000000006730000-0x0000000006819000-memory.dmp

Filesize
932KB

Download
memory/5060-44-0x0000000006600000-0x000000000663A000-memory.dmp

Filesize
232KB

Download
memory/5060-43-0x00000000064C0000-0x00000000064DD000-memory.dmp

Filesize
116KB

Download
memory/5060-40-0x00000000064C0000-0x00000000064DD000-memory.dmp

Filesize
116KB

Download
memory/5060-24-0x00000000063E0000-0x00000000063EC000-memory.dmp

Filesize
48KB

Download
memory/5060-21-0x00000000063E0000-0x00000000063EC000-memory.dmp

Filesize
48KB

Download
memory/5060-20-0x0000000006500000-0x00000000065B4000-memory.dmp

Filesize
720KB

Download
memory/5060-17-0x0000000006500000-0x00000000065B4000-memory.dmp

Filesize
720KB

Download
memory/5060-16-0x00000000063A0000-0x00000000063B1000-memory.dmp

Filesize
68KB

Download
memory/5060-13-0x00000000063A0000-0x00000000063B1000-memory.dmp

Filesize
68KB

Download
memory/5060-112-0x0000000000060000-0x0000000000888000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads