agenttesla | 837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2

General

Target

837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe
Size

1.2MB
MD5

3c785d4ebfb66ee2896e9794529159bc
SHA1

ad3d49245fe44b35d6f8004e36bff0c4e4781e62
SHA256

837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2
SHA512

04625cc9db6b6ea26fe313b86c29f2717ce531ec66dbd0c61e90403f2c78f4513959758af2bd571a524cf73c2a9f9a1405cf3a44039ab8e790c467b1930018c3
SSDEEP

24576:YqDEvCTbMWu7rQYlBQcBiT6rprG8aOntHSiIs2LLLpJG+aL:YTvC/MTQYxsWR7aOtHDMzG+

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Drops startup file 1 IoCs

Processes:

DADDY 026.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DADDY 026.vbs DADDY 026.exe
Executes dropped EXE 1 IoCs

Processes:

DADDY 026.exe

pid process

1804 DADDY 026.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DADDY 026.vbs	DADDY 026.exe

pid	process
1804	DADDY 026.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\DADDY 026.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DADDY 026.exe

description pid process target process

PID 1804 set thread context of 2016 1804 DADDY 026.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

svchost.exe

pid process

2016 svchost.exe
2016 svchost.exe
2016 svchost.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

DADDY 026.exe

pid process

1804 DADDY 026.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 2016 svchost.exe

description	pid	process	target process
PID 1804 set thread context of 2016	1804	DADDY 026.exe	svchost.exe

pid	process
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe

pid	process
1804	DADDY 026.exe

description	pid	process
Token: SeDebugPrivilege	2016	svchost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exeDADDY 026.exe

pid	process
1380	837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe
1380	837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe
1804	DADDY 026.exe
1804	DADDY 026.exe
1804	DADDY 026.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exeDADDY 026.exe

pid	process
1380	837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe
1380	837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe
1804	DADDY 026.exe
1804	DADDY 026.exe
1804	DADDY 026.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exeDADDY 026.exe

description	pid	process	target process
PID 1380 wrote to memory of 1804	1380	837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe	DADDY 026.exe
PID 1380 wrote to memory of 1804	1380	837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe	DADDY 026.exe
PID 1380 wrote to memory of 1804	1380	837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe	DADDY 026.exe
PID 1804 wrote to memory of 2016	1804	DADDY 026.exe	svchost.exe
PID 1804 wrote to memory of 2016	1804	DADDY 026.exe	svchost.exe
PID 1804 wrote to memory of 2016	1804	DADDY 026.exe	svchost.exe
PID 1804 wrote to memory of 2016	1804	DADDY 026.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe
"C:\Users\Admin\AppData\Local\Temp\837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\directory\DADDY 026.exe
"C:\Users\Admin\AppData\Local\Temp\837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lecheries
Filesize
321KB

MD5
a742ccbd6f702405534512db8ee8f682

SHA1
076c47cec5ecec6f95af65fe968fa5e3bf89ce96

SHA256
620c66203a39c19edf4fb2622b09acc8bb0a35008d76878c6f826c93902c0a8a

SHA512
3f06e350def31fa5d07a490a15cfb21eddf529d107e08f304d59db86b7d05240fb54ecf6505a98b2f3b968f375faeacaf4cfff290ea9758e36e65b397ee6d568

Download Submit
C:\Users\Admin\AppData\Local\Temp\meshummad
Filesize
29KB

MD5
1ff2550622f09eb6ccb75d9bb6b84cb9

SHA1
390af6c9fa2e296501f9e55dbbc5988d9f15e371

SHA256
858baf51b3d786c2a565fe5e8a8bfdd10ef1ef4b40a9415e43c8658f8fcb49fb

SHA512
089e72c17aa59cbbfef53e7e6598cb7cddf0d446ef130e3cfdc5064d0740c1a98d694bcbb02442eb87c03426e1ec74a5c68c90ae0f4b263d521b21ee514f9c8c

Download Submit
C:\Users\Admin\AppData\Local\directory\DADDY 026.exe
Filesize
109.2MB

MD5
b27a1f17ec81cc4138e33e69c0e4592d

SHA1
7e15c775c627c039efe343cc318109d87e3f1f79

SHA256
db1dd43ff41c8986d18ab4857f71779677fe348e2302aa533f36753d6f684c9f

SHA512
6f846dd78f90e7e50fd17e37f332659bac14341ebda57444f1a3423b89f98263e7b521af1a915d2424c0044d6d17b6884d39b7db572f71aa7e2cc0322d6f92a8

Download Submit
memory/1380-10-0x0000000001100000-0x0000000001104000-memory.dmp

Filesize
16KB

Download
memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp

Filesize
264KB

Download
memory/2016-33-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/2016-34-0x0000000005DB0000-0x0000000006354000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads