agenttesla | 45c1433d1344ab472d18aa57b65d3c6b184b04148e7b69194c501ede658372b0

General

Target

e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb.exe
Size

804KB
MD5

e8b61b099af93918a7d59477334471e0
SHA1

a2ce7a730e96bf6c8f9cd512993fd67cf0c10767
SHA256

e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb
SHA512

30b93418d244b71718a7fbf6683c27ac4bc799338f67d915367cb7cb5b93dab661b5b9071f49e055e9701d721ef3e788a0632adc062ecd32d1ffe225712bd855
SSDEEP

12288:IYgBDMwdNEb40oLhLr1+vuYdCllN9cnUstwbvhz58lZNKXGLfR:IYgB7mINL/vbDci1p2d

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 2 IoCs

Processes:

kigtiqm.exekigtiqm.exe

pid process

1112 kigtiqm.exe
540 kigtiqm.exe

pid	process
1112	kigtiqm.exe
540	kigtiqm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

kigtiqm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dvuibsk = "C:\\Users\\Admin\\AppData\\Roaming\\rhal\\heuy.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kigtiqm.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xm"	kigtiqm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

kigtiqm.exe

description pid process target process

PID 1112 set thread context of 540 1112 kigtiqm.exe kigtiqm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

kigtiqm.exe

pid process

1112 kigtiqm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kigtiqm.exe

description pid process

Token: SeDebugPrivilege 540 kigtiqm.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

kigtiqm.exe

pid process

1112 kigtiqm.exe
1112 kigtiqm.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

kigtiqm.exe

pid process

1112 kigtiqm.exe
1112 kigtiqm.exe

description	pid	process	target process
PID 1112 set thread context of 540	1112	kigtiqm.exe	kigtiqm.exe

pid	process
1112	kigtiqm.exe

description	pid	process
Token: SeDebugPrivilege	540	kigtiqm.exe

pid	process
1112	kigtiqm.exe
1112	kigtiqm.exe

pid	process
1112	kigtiqm.exe
1112	kigtiqm.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb.exekigtiqm.exe

description	pid	process	target process
PID 1572 wrote to memory of 1112	1572	e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb.exe	kigtiqm.exe
PID 1572 wrote to memory of 1112	1572	e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb.exe	kigtiqm.exe
PID 1572 wrote to memory of 1112	1572	e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb.exe	kigtiqm.exe
PID 1112 wrote to memory of 540	1112	kigtiqm.exe	kigtiqm.exe
PID 1112 wrote to memory of 540	1112	kigtiqm.exe	kigtiqm.exe
PID 1112 wrote to memory of 540	1112	kigtiqm.exe	kigtiqm.exe
PID 1112 wrote to memory of 540	1112	kigtiqm.exe	kigtiqm.exe

C:\Users\Admin\AppData\Local\Temp\e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb.exe
"C:\Users\Admin\AppData\Local\Temp\e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\kigtiqm.exe
"C:\Users\Admin\AppData\Local\Temp\kigtiqm.exe" "C:\Users\Admin\AppData\Local\Temp\xmnxoix.au3"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\kigtiqm.exe
"C:\Users\Admin\AppData\Local\Temp\kigtiqm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1332 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bzeakrjaft.hv

Filesize
68KB

MD5
3fcceb6589669e4f6c1f159a9b6fa0d9

SHA1
37b0be703e1bb6c1b0eb06fd25a91724f5ce5264

SHA256
935134c9d742e8364884a2647aef3490ddd89aa5c1f99183a57bbc5829fe02c0

SHA512
05537dc4d259dc0e0cd9f83b8d816aef4154aedc6c96642c8b7979ee41760d8cb35ccd6eed2f9c5416fa132a53ab9f62bab57cff9800f203906509c86c8c509c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chdtr.tlz

Filesize
263KB

MD5
68e51dc63d26a2e2f8e8bd9a4a0be275

SHA1
2616ce912fc994ecabe75b853511b9aa4202fc97

SHA256
9f27f632aac3e100bbbb7969deaf2c731c01755c1085e92e80ddd9c360487d76

SHA512
574d8864bf4f048be5207f0a71e26e1a8ae5e182f73d5b956c41d5fd703899446824e85f287c8c4f3c50aed21da53596a57435e10f4a9cfd37688e97683fa62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kigtiqm.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmnxoix.au3

Filesize
4KB

MD5
0d013f6baac0a09a1fb8e14217317503

SHA1
453fba3488930e98d075946a31e5455b84eed5ba

SHA256
0a78523b6163a8372ba64e5cc275d68f6582b7ca3a93e3163ad96251cc788d83

SHA512
05032c4bbdc56992768a87ebaa9a9f43cb9092df401bb61a20673c1bec3a1f3fe4ee7c55c0572ceac9d862538ac765d0e0577cb63424c5edf137f7948feb8ced

Download Submit
memory/540-19-0x0000000006030000-0x0000000006040000-memory.dmp

Filesize
64KB

Download
memory/540-22-0x0000000006030000-0x0000000006040000-memory.dmp

Filesize
64KB

Download
memory/540-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-15-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-18-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/540-30-0x0000000006030000-0x0000000006040000-memory.dmp

Filesize
64KB

Download
memory/540-20-0x0000000005FD0000-0x0000000006000000-memory.dmp

Filesize
192KB

Download
memory/540-21-0x0000000074BD0000-0x0000000075380000-memory.dmp

Filesize
7.7MB

Download
memory/540-12-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/540-23-0x0000000006030000-0x0000000006040000-memory.dmp

Filesize
64KB

Download
memory/540-24-0x00000000066F0000-0x0000000006C94000-memory.dmp

Filesize
5.6MB

Download
memory/540-25-0x0000000006030000-0x0000000006040000-memory.dmp

Filesize
64KB

Download
memory/540-26-0x0000000006030000-0x0000000006040000-memory.dmp

Filesize
64KB

Download
memory/540-27-0x0000000006030000-0x0000000006040000-memory.dmp

Filesize
64KB

Download
memory/540-28-0x0000000006030000-0x0000000006040000-memory.dmp

Filesize
64KB

Download
memory/540-29-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/1112-8-0x0000000000980000-0x0000000000982000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads