agenttesla | 72c8c3dd1f471377a5e1f7bd7fc0345b7c90a2b4f2b95b31532161c269dcc0fd

General

Target

peak.exe
Size

8.1MB
MD5

6216754d616e11771cc50fff0191e270
SHA1

7d9d187690845a8bbc9a300fdc6e7a51d411b08b
SHA256

72c8c3dd1f471377a5e1f7bd7fc0345b7c90a2b4f2b95b31532161c269dcc0fd
SHA512

471fb4068fa6fdd20e1dc88a24bb9c22cf12d5422dbecc29b174070af0be6f5195800ad597e398ffe179604a4aa2518f0ec27bd2cf7dc8a395ef00dcd3a6c803
SSDEEP

196608:jTQs1gi/7DMLibCjMAhT7oarL1VnnvbWFTbPfiXr:jT+i/7DM+byHwSZTC/X

Score

10^/10

agenttesla bootkit evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4648-19-0x0000000006E30000-0x0000000007042000-memory.dmp	family_agenttesla

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

peak.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ peak.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	peak.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

peak.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	peak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	peak.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

peak.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA peak.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 discord.com
16 discord.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

peak.exe

description ioc process

File opened for modification \??\PhysicalDrive0 peak.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

peak.exe

pid process

4648 peak.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	peak.exe

flow	ioc
15	discord.com
16	discord.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	peak.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

peak.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	peak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	peak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	peak.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

peak.exe

pid	process
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe
4648	peak.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

peak.exe

description pid process

Token: SeDebugPrivilege 4648 peak.exe

description	pid	process
Token: SeDebugPrivilege	4648	peak.exe

C:\Users\Admin\AppData\Local\Temp\peak.exe
"C:\Users\Admin\AppData\Local\Temp\peak.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:8
1⤵
PID:3648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4648-0-0x0000000000860000-0x0000000001704000-memory.dmp

Filesize
14.6MB

Download
memory/4648-1-0x0000000077850000-0x0000000077940000-memory.dmp

Filesize
960KB

Download
memory/4648-2-0x0000000077850000-0x0000000077940000-memory.dmp

Filesize
960KB

Download
memory/4648-4-0x0000000077850000-0x0000000077940000-memory.dmp

Filesize
960KB

Download
memory/4648-3-0x0000000077850000-0x0000000077940000-memory.dmp

Filesize
960KB

Download
memory/4648-6-0x00000000779C4000-0x00000000779C6000-memory.dmp

Filesize
8KB

Download
memory/4648-5-0x0000000077850000-0x0000000077940000-memory.dmp

Filesize
960KB

Download
memory/4648-11-0x0000000000860000-0x0000000001704000-memory.dmp

Filesize
14.6MB

Download
memory/4648-14-0x0000000000860000-0x0000000001704000-memory.dmp

Filesize
14.6MB

Download
memory/4648-13-0x0000000000860000-0x0000000001704000-memory.dmp

Filesize
14.6MB

Download
memory/4648-15-0x0000000006880000-0x0000000006E24000-memory.dmp

Filesize
5.6MB

Download
memory/4648-16-0x0000000006220000-0x00000000062B2000-memory.dmp

Filesize
584KB

Download
memory/4648-17-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4648-18-0x0000000006510000-0x000000000651A000-memory.dmp

Filesize
40KB

Download
memory/4648-19-0x0000000006E30000-0x0000000007042000-memory.dmp

Filesize
2.1MB

Download
memory/4648-20-0x0000000077850000-0x0000000077940000-memory.dmp

Filesize
960KB

Download
memory/4648-21-0x00000000099C0000-0x00000000099CA000-memory.dmp

Filesize
40KB

Download
memory/4648-22-0x00000000099F0000-0x0000000009A0A000-memory.dmp

Filesize
104KB

Download
memory/4648-23-0x0000000009A10000-0x0000000009AC2000-memory.dmp

Filesize
712KB

Download
memory/4648-24-0x0000000009B30000-0x0000000009B52000-memory.dmp

Filesize
136KB

Download
memory/4648-25-0x0000000009B60000-0x0000000009EB4000-memory.dmp

Filesize
3.3MB

Download
memory/4648-26-0x0000000077850000-0x0000000077940000-memory.dmp

Filesize
960KB

Download
memory/4648-28-0x0000000077850000-0x0000000077940000-memory.dmp

Filesize
960KB

Download
memory/4648-29-0x0000000077850000-0x0000000077940000-memory.dmp

Filesize
960KB

Download
memory/4648-30-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4648-32-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4648-35-0x0000000006170000-0x0000000006180000-memory.dmp

Filesize
64KB

Download
memory/4648-41-0x0000000001C00000-0x0000000001C22000-memory.dmp

Filesize
136KB

Download
memory/4648-42-0x0000000009650000-0x00000000096B6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads