agenttesla | 7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36

General

Target

7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe
Size

1.2MB
MD5

825399a8feef99272b3b3d1ecf6a24dd
SHA1

e6b356e65c8d5925ce26831aa9a0e8394be2738b
SHA256

7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36
SHA512

86ba270e4e64071a76a2419ffbc85ee342589d5b29f2ed1cb2a77fec0014c5d207a64e9b5abec2287c054ad505a8fe6fc98d5a15144c8ad781d8a52d7b3716da
SSDEEP

24576:cqDEvCTbMWu7rQYlBQcBiT6rprG8aol1RqnlZtVV9DalVfOI:cTvC/MTQYxsWR7aolzqHtYO

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Drops startup file 1 IoCs

Processes:

DADDY 026.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DADDY 026.vbs DADDY 026.exe
Executes dropped EXE 1 IoCs

Processes:

DADDY 026.exe

pid process

2504 DADDY 026.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DADDY 026.vbs	DADDY 026.exe

pid	process
2504	DADDY 026.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\DADDY 026.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\DADDY 026.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DADDY 026.exe

description pid process target process

PID 2504 set thread context of 1560 2504 DADDY 026.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exe

pid process

1560 svchost.exe
1560 svchost.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

DADDY 026.exe

pid process

2504 DADDY 026.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 1560 svchost.exe

description	pid	process	target process
PID 2504 set thread context of 1560	2504	DADDY 026.exe	svchost.exe

pid	process
1560	svchost.exe
1560	svchost.exe

pid	process
2504	DADDY 026.exe

description	pid	process
Token: SeDebugPrivilege	1560	svchost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exeDADDY 026.exe

pid	process
4016	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe
4016	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe
2504	DADDY 026.exe
2504	DADDY 026.exe
2504	DADDY 026.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exeDADDY 026.exe

pid	process
4016	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe
4016	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe
2504	DADDY 026.exe
2504	DADDY 026.exe
2504	DADDY 026.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exeDADDY 026.exe

description	pid	process	target process
PID 4016 wrote to memory of 2504	4016	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe	DADDY 026.exe
PID 4016 wrote to memory of 2504	4016	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe	DADDY 026.exe
PID 4016 wrote to memory of 2504	4016	7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe	DADDY 026.exe
PID 2504 wrote to memory of 1560	2504	DADDY 026.exe	svchost.exe
PID 2504 wrote to memory of 1560	2504	DADDY 026.exe	svchost.exe
PID 2504 wrote to memory of 1560	2504	DADDY 026.exe	svchost.exe
PID 2504 wrote to memory of 1560	2504	DADDY 026.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe
"C:\Users\Admin\AppData\Local\Temp\7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\directory\DADDY 026.exe
"C:\Users\Admin\AppData\Local\Temp\7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\7c772b1c4ba1a6cb92a97314277ff62be83baccc05e385b044e226245faf5f36.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\troopwise
Filesize
29KB

MD5
9c4d7f127e2e82fde6fafb558a424d9a

SHA1
d05ba7679666b2ef9e225ba3c0ef7dc6c37b8370

SHA256
0a3e6ac55aa10e734122039110b39edf7ce9dd4ae8a7b9b9e91e30442c6c86ad

SHA512
b5bbe84da65e2eafbcdc1722d95075de5dda4a6144424c28071504ca8665f0f3f297e77d92a61b1051e4630069ffbf4854df730b7e98255f3be40dbb7b9267aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\woolpress
Filesize
321KB

MD5
0a161d8883568819d0878973e3fa3c98

SHA1
1a4815b2e9cd533f3a495c920c436a37fb9bc3da

SHA256
ccf53cb3650524330cf5a6ddf9f0e4a88320d8b36ea7ba12ae70f4aeac326ff7

SHA512
ab06fc19b83ee429031554d35ffeb97d5d69a90655f93be977dd340b36a9d8ece2f444da17fa1f05f93cb12257e7a024b1a53825e8268629a3d77f198c7c0cd0

Download Submit
C:\Users\Admin\AppData\Local\directory\DADDY 026.exe
Filesize
14.6MB

MD5
e6e195666be74d3f18b51cbb639b059e

SHA1
cdc1673bcb8e8342100430c3b6df559e7fc06496

SHA256
256346e7d8262b7ae6889dd2f6c30ea822c3b645286671df858e2166005d793e

SHA512
29a244e4f5465ddc700e50f87c0cdffeea722ca6dba69dc8d76c2e3714ba9dd38b515237e5dbd4cd763105d9a49ecfce84636a03472ed2b6c44c68124a33cee1

Download Submit
C:\Users\Admin\AppData\Local\directory\DADDY 026.exe
Filesize
17.2MB

MD5
4ec443ab09096a9211ca3acc65769e88

SHA1
235c7dc585193816b21e03f634ae7cd22f087e7f

SHA256
0c1197f4068537fd35839a897569e7ff5a7a404720143cda1d7b9f0c199aa107

SHA512
a79c2b428881c5eb679c3944cde6b922dcc30c9a49bf1bc4667ccb0f276c8ff239ae1b20220c0e2322d79bbc40abef4b13ccfae1768fce65473e248f0dd64125

Download Submit
memory/1560-28-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1560-29-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1560-30-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1560-31-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1560-32-0x0000000005C10000-0x0000000005C52000-memory.dmp

Filesize
264KB

Download
memory/1560-33-0x0000000074E70000-0x0000000075620000-memory.dmp

Filesize
7.7MB

Download
memory/1560-34-0x0000000006270000-0x0000000006814000-memory.dmp

Filesize
5.6MB

Download
memory/4016-10-0x0000000000BA0000-0x0000000000BA4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads