agenttesla | 1dcb5aba17ea2886a59f960d60dd23b5cb14112f046a0d8de6e6d589e96639d5

General

Target

WizWorm v4.rar
Size

35.5MB
MD5

82f10a35d8425c3e46ef808972e73831
SHA1

ac0dca716e71e0aabc3d4ac41d85e3bac5448630
SHA256

1dcb5aba17ea2886a59f960d60dd23b5cb14112f046a0d8de6e6d589e96639d5
SHA512

f7ab8a440697c69a639465dba9772da837f4c9cd0ed8d7672aa3ca6dced3ceb6024277c80c5b17b0c76e47133689965858f54d211e454c44c2c4dd7c3f8ca50d
SSDEEP

786432:p+vcme8z2HYjCBbwIiEgBNVN7lDR+2FQGP1Rtn+FbzmeLc5vLN:Uc7HlsI6BNVsattPDeclN

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000a000000023235-135.dat	family_agenttesla
behavioral3/memory/2816-136-0x000001727CED0000-0x000001727D0C4000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2816	WizWorm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WizWorm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	WizWorm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	WizWorm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe
2816	WizWorm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4712	7zFM.exe
Token: 35	4712	7zFM.exe
Token: SeSecurityPrivilege	4712	7zFM.exe
Token: 33	4232	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4232	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4712	7zFM.exe
4712	7zFM.exe
2816	WizWorm.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2816	WizWorm.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 4712	3388	cmd.exe	93
PID 3388 wrote to memory of 4712	3388	cmd.exe	93

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\WizWorm v4.rar"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\WizWorm v4.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5104

C:\Users\Admin\Desktop\WizWorm v4\WizWorm.exe
"C:\Users\Admin\Desktop\WizWorm v4\WizWorm.exe"
1⤵
- Executes dropped EXE
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3492

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4 0x308
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\WizWorm v4\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Desktop\WizWorm v4\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Desktop\WizWorm v4\Intro.wav

Filesize
591KB

MD5
d0b4077dc5623a51a8dd9fa37cafbf62

SHA1
9793779439a4e0bf5be28d1ff5e688dfb087c263

SHA256
7ef5b1508c6187f45cb9803436238658f82ecbfe43ae3fffe5b0d22a86f79600

SHA512
a94020fc4782a13b72f7729888f5ebc6e4d806a2b705bdeeae5305815d5fe177db57dd17b40c5cbeae0d8491f4f6a5e63e23485014ed8384358877b87b4cda71

Download Submit
C:\Users\Admin\Desktop\WizWorm v4\MetroFramework.Fonts.dll

Filesize
656KB

MD5
65ef4b23060128743cef937a43b82aa3

SHA1
cc72536b84384ec8479b9734b947dce885ef5d31

SHA256
c843869aaca5135c2d47296985f35c71ca8af4431288d04d481c4e46cc93ee26

SHA512
d06690f9aac0c6500aed387f692b3305dfc0708b08fc2f27eaa44b108908ccd8267b07f8fb8608eef5c803039caeabf8f88a18b7e5b1d850f32bbb72bcd3b0b7

Download Submit
C:\Users\Admin\Desktop\WizWorm v4\MetroFramework.dll

Filesize
345KB

MD5
34ea7f7d66563f724318e322ff08f4db

SHA1
d0aa8038a92eb43def2fffbbf4114b02636117c5

SHA256
c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49

SHA512
dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

Download Submit
C:\Users\Admin\Desktop\WizWorm v4\WizWorm.exe

Filesize
704KB

MD5
befe8e6e2ff58f1c9e19acf30f586b8a

SHA1
8d7752e54c8c47285dc292489ddc0c826027e806

SHA256
a1cff5cea9034b950266101b79ffd6105d33059326c2042397c91c365c16c8da

SHA512
428cabefea4a8bebf3565325f73cbb539ff08ea0637421fa7f7276e44a715b8b82c7736738307f6682960511bf08911153b4260db04cb38c93fbb47ac0dead5f

Download Submit
memory/2816-137-0x0000017279680000-0x0000017279690000-memory.dmp

Filesize
64KB

Download
memory/2816-140-0x0000017279680000-0x0000017279690000-memory.dmp

Filesize
64KB

Download
memory/2816-133-0x000001727AF30000-0x000001727AF8C000-memory.dmp

Filesize
368KB

Download
memory/2816-136-0x000001727CED0000-0x000001727D0C4000-memory.dmp

Filesize
2.0MB

Download
memory/2816-131-0x000001727B9E0000-0x000001727CBD2000-memory.dmp

Filesize
17.9MB

Download
memory/2816-130-0x0000017279680000-0x0000017279690000-memory.dmp

Filesize
64KB

Download
memory/2816-139-0x000001727FB70000-0x000001727FC1A000-memory.dmp

Filesize
680KB

Download
memory/2816-134-0x000001727AEB0000-0x000001727AEC2000-memory.dmp

Filesize
72KB

Download
memory/2816-129-0x0000017278430000-0x000001727928E000-memory.dmp

Filesize
14.4MB

Download
memory/2816-142-0x00007FF8C5E20000-0x00007FF8C68E1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-143-0x0000017279680000-0x0000017279690000-memory.dmp

Filesize
64KB

Download
memory/2816-128-0x00007FF8C5E20000-0x00007FF8C68E1000-memory.dmp

Filesize
10.8MB

Download
memory/2816-146-0x0000017279680000-0x0000017279690000-memory.dmp

Filesize
64KB

Download
memory/2816-145-0x0000017279680000-0x0000017279690000-memory.dmp

Filesize
64KB

Download
memory/2816-147-0x0000017279680000-0x0000017279690000-memory.dmp

Filesize
64KB

Download
memory/2816-148-0x0000017279680000-0x0000017279690000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads