agenttesla | 7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36

General

Target

7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe
Size

1.2MB
MD5

825399a8feef99272b3b3d1ecf6a24dd
SHA1

e6b356e65c8d5925ce26831aa9a0e8394be2738b
SHA256

7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36
SHA512

86ba270e4e64071a76a2419ffbc85ee342589d5b29f2ed1cb2a77fec0014c5d207a64e9b5abec2287c054ad505a8fe6fc98d5a15144c8ad781d8a52d7b3716da
SSDEEP

24576:cqDEvCTbMWu7rQYlBQcBiT6rprG8aol1RqnlZtVV9DalVfOI:cTvC/MTQYxsWR7aolzqHtYO

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Drops startup file 1 IoCs

Processes:

DADDY 026.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DADDY 026.vbs DADDY 026.exe
Executes dropped EXE 1 IoCs

Processes:

DADDY 026.exe

pid process

2660 DADDY 026.exe
Loads dropped DLL 1 IoCs

Processes:

7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe

pid process

392 7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DADDY 026.vbs	DADDY 026.exe

pid	process
2660	DADDY 026.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\directory\DADDY 026.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\DADDY 026.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\DADDY 026.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DADDY 026.exe

description pid process target process

PID 2660 set thread context of 2764 2660 DADDY 026.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

2764 svchost.exe
2764 svchost.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

DADDY 026.exe

pid process

2660 DADDY 026.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2764 svchost.exe

description	pid	process	target process
PID 2660 set thread context of 2764	2660	DADDY 026.exe	svchost.exe

pid	process
2764	svchost.exe
2764	svchost.exe

pid	process
2660	DADDY 026.exe

description	pid	process
Token: SeDebugPrivilege	2764	svchost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exeDADDY 026.exe

pid	process
392	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe
392	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe
2660	DADDY 026.exe
2660	DADDY 026.exe
2660	DADDY 026.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exeDADDY 026.exe

pid	process
392	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe
392	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe
2660	DADDY 026.exe
2660	DADDY 026.exe
2660	DADDY 026.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exeDADDY 026.exe

description	pid	process	target process
PID 392 wrote to memory of 2660	392	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe	DADDY 026.exe
PID 392 wrote to memory of 2660	392	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe	DADDY 026.exe
PID 392 wrote to memory of 2660	392	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe	DADDY 026.exe
PID 392 wrote to memory of 2660	392	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe	DADDY 026.exe
PID 2660 wrote to memory of 2764	2660	DADDY 026.exe	svchost.exe
PID 2660 wrote to memory of 2764	2660	DADDY 026.exe	svchost.exe
PID 2660 wrote to memory of 2764	2660	DADDY 026.exe	svchost.exe
PID 2660 wrote to memory of 2764	2660	DADDY 026.exe	svchost.exe
PID 2660 wrote to memory of 2764	2660	DADDY 026.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe
"C:\Users\Admin\AppData\Local\Temp\7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\directory\DADDY 026.exe
"C:\Users\Admin\AppData\Local\Temp\7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\troopwise
Filesize
29KB

MD5
9c4d7f127e2e82fde6fafb558a424d9a

SHA1
d05ba7679666b2ef9e225ba3c0ef7dc6c37b8370

SHA256
0a3e6ac55aa10e734122039110b39edf7ce9dd4ae8a7b9b9e91e30442c6c86ad

SHA512
b5bbe84da65e2eafbcdc1722d95075de5dda4a6144424c28071504ca8665f0f3f297e77d92a61b1051e4630069ffbf4854df730b7e98255f3be40dbb7b9267aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\woolpress
Filesize
261KB

MD5
978a60aa4c9b96362668b1ac1bf3787c

SHA1
41071d4271e49dfa8ae7b03dd4b9d3cb77ad9943

SHA256
f937843051dfe2e09fc115bbef0e501e02264b498ec167747c19f5e6e7b6e17e

SHA512
67efcf2cf38f28b5ea9bcd923d1d16ca4bad8a9dc77285514021f5a480fc65f1d2fe1bff29d4b15bda3f965573f81589f5f3f8c4473138b0702fb76f6972e8dc

Download Submit
C:\Users\Admin\AppData\Local\directory\DADDY 026.exe
Filesize
9.9MB

MD5
3e6ca62590bc098b82a8aeedd8137c19

SHA1
da286452a43efb368a70304a541d735b114f5cd3

SHA256
7e55435b7f12147edcf649d2926adb55cacd241ca6e79dd8cfa521cffb7cc5b5

SHA512
29997d372ea9d0b5baf81a0a7cbbedb01bec61237902a3130cced2a0d9ea69f535b712788bb5940ad325a4a62fda5f3298b2869b665f204334be87f451caae91

Download Submit
C:\Users\Admin\AppData\Local\directory\DADDY 026.exe
Filesize
10.0MB

MD5
ac1c61736b8e1ebc63b5d8e9832f3e1b

SHA1
89d14ce377cc65a4724ee5475ab860644f8a43ea

SHA256
77e2b1d395ddb00bcc49297f80b0a6f823cea5a7b7049a453d666f700335ac4b

SHA512
0cb7e9d84dc740b65c003c4a45eebc3e77c1d25f4cad4ca3a42a75c5602a97203e03c2b39c62973fae3fb67fb590d3147ab6183921e8e6c7ab07714ad8035499

Download Submit
\Users\Admin\AppData\Local\directory\DADDY 026.exe
Filesize
6.4MB

MD5
773161b5bf66942272fea0590069a797

SHA1
d90973dd0ff024ace418d2b848f0218d4e5feb7b

SHA256
ccc22bae1c612fb7088af197c600ec2f5ed7a2d1edf18f9e5158225a71579a64

SHA512
ace3ddec1dd0a058122405f9a73a6c855292cc6ab3170f8fac3e72b9663f4b14fcf277673d6174429e2de1ba58be7dd3e6b2ef713eef604f72488044c58328ab

Download Submit
memory/392-10-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download
memory/2764-30-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2764-32-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2764-33-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2764-34-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2764-35-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

Filesize
256KB

Download
memory/2764-36-0x00000000002B0000-0x00000000002F2000-memory.dmp

Filesize
264KB

Download
memory/2764-37-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

Filesize
256KB

Download
memory/2764-38-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2764-39-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads