agenttesla | eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b

General

Target

eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe
Size

419KB
MD5

748587ad382b73ec3619f951b9c0f520
SHA1

1867110007560593e22f2a45d354c35099dcdd74
SHA256

eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b
SHA512

41715aa653807cdf099fb6f999ea5eb36b77a203502e3ff708620696a84f2c9bf14b27e16368c1122d1718cca6fdd5b39324bbe6f6654c124f535d191e8f252c
SSDEEP

6144:P8LxBgg2Z/zHvU7RD+0c+7jsZ37cOG4CIrAntf24fP2UPDK1WvXC9MaPBA:w2Z/zHWA0c+3W3ObIrAnVf1LK1Wv3OK

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 2 IoCs

pid	Process
2960	qdslvzkqg.exe
848	qdslvzkqg.exe

Loads dropped DLL 3 IoCs

pid	Process
1720	eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe
1720	eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe
2960	qdslvzkqg.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 848	2960	qdslvzkqg.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
848	qdslvzkqg.exe
848	qdslvzkqg.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2960	qdslvzkqg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	qdslvzkqg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2960	1720	eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe	28
PID 1720 wrote to memory of 2960	1720	eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe	28
PID 1720 wrote to memory of 2960	1720	eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe	28
PID 1720 wrote to memory of 2960	1720	eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe	28
PID 2960 wrote to memory of 848	2960	qdslvzkqg.exe	30
PID 2960 wrote to memory of 848	2960	qdslvzkqg.exe	30
PID 2960 wrote to memory of 848	2960	qdslvzkqg.exe	30
PID 2960 wrote to memory of 848	2960	qdslvzkqg.exe	30
PID 2960 wrote to memory of 848	2960	qdslvzkqg.exe	30

C:\Users\Admin\AppData\Local\Temp\eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe
"C:\Users\Admin\AppData\Local\Temp\eb000e1dcd32b865b9ab28720b05953e630f8602faea420f2a60676745479a9b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\qdslvzkqg.exe
  "C:\Users\Admin\AppData\Local\Temp\qdslvzkqg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\qdslvzkqg.exe
    "C:\Users\Admin\AppData\Local\Temp\qdslvzkqg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pccizpgtrzz.hj

Filesize
333KB

MD5
ca1c97ce2afd887ef84dbd4592e234e8

SHA1
2922fe8e316321b5762058f4f24b6415450122fe

SHA256
0046c6a752df509a293fcbfa9665923c6ac4310d59bdbaf102704cf4ec4c3247

SHA512
faad180d9d2155577af4c7a1573a7433dda0050d53773df8d7a32d69db7052001aa9097c9c82618700627d9a563a378ac04367334b6a67bbae3392f56919c13d

Download Submit
\Users\Admin\AppData\Local\Temp\qdslvzkqg.exe

Filesize
165KB

MD5
1b8d8633ac4e79b156290d394f181047

SHA1
c4434ea803b10c58d37d8383e3e9da2732993d28

SHA256
046380e2a000529cddb9aa5454967f78432fdcc0c238568cda2594c113f2584b

SHA512
d624223e8df35b873ec296299df34b2e8a3352af2f2fb8f4eea3134e04b046f6b03385536a3beeb71ecd24390cf3ec92d8b48a200152d7a6760f09d35402e0a4

Download Submit
memory/848-13-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/848-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/848-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/848-20-0x0000000073C60000-0x000000007434E000-memory.dmp

Filesize
6.9MB

Download
memory/848-22-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/848-21-0x00000000047E0000-0x0000000004820000-memory.dmp

Filesize
256KB

Download
memory/848-19-0x00000000020B0000-0x00000000020F2000-memory.dmp

Filesize
264KB

Download
memory/848-24-0x0000000073C60000-0x000000007434E000-memory.dmp

Filesize
6.9MB

Download
memory/2960-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2960-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing