agenttesla | 2f197a7f01a432bd63fb008e8b005c6eeb4db0df80284ce9d9756b31942ea4fb

General

Target

Mars.exe
Size

7.5MB
MD5

9a33f57b10f596434250189e0256c478
SHA1

cdb0cb462d096e89edebcd928b7b400d3d91f0db
SHA256

2f197a7f01a432bd63fb008e8b005c6eeb4db0df80284ce9d9756b31942ea4fb
SHA512

22e672e74a535bfb0571e6751ccd16ecfed047957838a5481fb4907ab564b6fa04fc5265a915904f6dba81b82419b60ebaa85d17b8f5daaaaea814bec482e13c
SSDEEP

196608:ot3HZCNIAJWh3fl3Y1WgqyXZBjPet3PbUy33ky:CcgP4WgqwPetbZ

Score

10^/10

agenttesla evasion keylogger spyware stealer themida trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4712-9-0x0000000003E90000-0x00000000040A4000-memory.dmp	family_agenttesla
behavioral1/memory/4712-19-0x0000000010000000-0x0000000010214000-memory.dmp	family_agenttesla

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Mars.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Mars.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Mars.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Mars.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Mars.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Mars.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/4712-13-0x0000000000640000-0x0000000001A68000-memory.dmp	themida
behavioral1/memory/4712-14-0x0000000000640000-0x0000000001A68000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Mars.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Mars.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Mars.exe

pid process

4712 Mars.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Mars.exe

pid	process
4712	Mars.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Mars.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Mars.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Mars.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Mars.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Mars.exe

pid process

4712 Mars.exe
4712 Mars.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Mars.exe

description pid process

Token: SeDebugPrivilege 4712 Mars.exe

pid	process
4712	Mars.exe
4712	Mars.exe

description	pid	process
Token: SeDebugPrivilege	4712	Mars.exe

C:\Users\Admin\AppData\Local\Temp\Mars.exe
"C:\Users\Admin\AppData\Local\Temp\Mars.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4712-0-0x0000000000640000-0x0000000001A68000-memory.dmp

Filesize
20.2MB

Download
memory/4712-1-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-2-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-3-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-4-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-5-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-6-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-7-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-8-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-9-0x0000000003E90000-0x00000000040A4000-memory.dmp

Filesize
2.1MB

Download
memory/4712-10-0x0000000077A24000-0x0000000077A26000-memory.dmp

Filesize
8KB

Download
memory/4712-13-0x0000000000640000-0x0000000001A68000-memory.dmp

Filesize
20.2MB

Download
memory/4712-14-0x0000000000640000-0x0000000001A68000-memory.dmp

Filesize
20.2MB

Download
memory/4712-15-0x0000000006D20000-0x00000000072C4000-memory.dmp

Filesize
5.6MB

Download
memory/4712-16-0x0000000006810000-0x00000000068A2000-memory.dmp

Filesize
584KB

Download
memory/4712-17-0x0000000006780000-0x000000000678A000-memory.dmp

Filesize
40KB

Download
memory/4712-19-0x0000000010000000-0x0000000010214000-memory.dmp

Filesize
2.1MB

Download
memory/4712-20-0x0000000006A10000-0x0000000006A20000-memory.dmp

Filesize
64KB

Download
memory/4712-21-0x000000000A2B0000-0x000000000A2C2000-memory.dmp

Filesize
72KB

Download
memory/4712-23-0x000000000AAA0000-0x000000000AADC000-memory.dmp

Filesize
240KB

Download
memory/4712-25-0x0000000000640000-0x0000000001A68000-memory.dmp

Filesize
20.2MB

Download
memory/4712-26-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-27-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-28-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-30-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-31-0x0000000076110000-0x0000000076200000-memory.dmp

Filesize
960KB

Download
memory/4712-32-0x0000000006A10000-0x0000000006A20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads