agenttesla | d63479ab0f886e83ad5b3a87021cd0f9e68a55bc95c1ac0f6f2b9bd505bb7855

General

Target

chrme.exe
Size

3.8MB
MD5

ee00a6f2b4c502a4132bb362c22ebfc9
SHA1

0dd02a779556215993bd7d8a91ff47f59c76c0ad
SHA256

d63479ab0f886e83ad5b3a87021cd0f9e68a55bc95c1ac0f6f2b9bd505bb7855
SHA512

c379e97965c6ef4dac4222950d7a005060a2d004494b87675b8952ab5454505caecea7e98f7282e7f9bb93ed2422e2687c307d6797f3cc9d1723e9a6ba302044
SSDEEP

98304:bmhr/7J8d9gYg5T39WNqpvh1w6GDk0Y7K5JEyUaJnraU11lwnkqXf0FF:b+nJUgj0I5h1lGg0gKHEyUeLXl0kSIF

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3068-4-0x0000000005250000-0x0000000005462000-memory.dmp	family_agenttesla

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrme.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrme.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrme.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	chrme.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

chrme.exe

pid process

3068 chrme.exe

pid	process
3068	chrme.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrme.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	3068	chrme.exe
Token: SeIncreaseQuotaPrivilege	1720	wmic.exe
Token: SeSecurityPrivilege	1720	wmic.exe
Token: SeTakeOwnershipPrivilege	1720	wmic.exe
Token: SeLoadDriverPrivilege	1720	wmic.exe
Token: SeSystemProfilePrivilege	1720	wmic.exe
Token: SeSystemtimePrivilege	1720	wmic.exe
Token: SeProfSingleProcessPrivilege	1720	wmic.exe
Token: SeIncBasePriorityPrivilege	1720	wmic.exe
Token: SeCreatePagefilePrivilege	1720	wmic.exe
Token: SeBackupPrivilege	1720	wmic.exe
Token: SeRestorePrivilege	1720	wmic.exe
Token: SeShutdownPrivilege	1720	wmic.exe
Token: SeDebugPrivilege	1720	wmic.exe
Token: SeSystemEnvironmentPrivilege	1720	wmic.exe
Token: SeRemoteShutdownPrivilege	1720	wmic.exe
Token: SeUndockPrivilege	1720	wmic.exe
Token: SeManageVolumePrivilege	1720	wmic.exe
Token: 33	1720	wmic.exe
Token: 34	1720	wmic.exe
Token: 35	1720	wmic.exe
Token: SeIncreaseQuotaPrivilege	1720	wmic.exe
Token: SeSecurityPrivilege	1720	wmic.exe
Token: SeTakeOwnershipPrivilege	1720	wmic.exe
Token: SeLoadDriverPrivilege	1720	wmic.exe
Token: SeSystemProfilePrivilege	1720	wmic.exe
Token: SeSystemtimePrivilege	1720	wmic.exe
Token: SeProfSingleProcessPrivilege	1720	wmic.exe
Token: SeIncBasePriorityPrivilege	1720	wmic.exe
Token: SeCreatePagefilePrivilege	1720	wmic.exe
Token: SeBackupPrivilege	1720	wmic.exe
Token: SeRestorePrivilege	1720	wmic.exe
Token: SeShutdownPrivilege	1720	wmic.exe
Token: SeDebugPrivilege	1720	wmic.exe
Token: SeSystemEnvironmentPrivilege	1720	wmic.exe
Token: SeRemoteShutdownPrivilege	1720	wmic.exe
Token: SeUndockPrivilege	1720	wmic.exe
Token: SeManageVolumePrivilege	1720	wmic.exe
Token: 33	1720	wmic.exe
Token: 34	1720	wmic.exe
Token: 35	1720	wmic.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe
Token: 33	2696	wmic.exe
Token: 34	2696	wmic.exe
Token: 35	2696	wmic.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

chrme.exe

description	pid	process	target process
PID 3068 wrote to memory of 1720	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 1720	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 1720	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 1720	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 2696	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 2696	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 2696	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 2696	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 2680	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 2680	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 2680	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 2680	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 2684	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 2684	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 2684	3068	chrme.exe	wmic.exe
PID 3068 wrote to memory of 2684	3068	chrme.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\chrme.exe
"C:\Users\Admin\AppData\Local\Temp\chrme.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" csproduct get uuid
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" BaseBoard get SerialNumber
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" csproduct get uuid
2⤵
PID:2680

C:\Windows\SysWOW64\Wbem\wmic.exe
"wmic" BaseBoard get SerialNumber
2⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3068-0-0x00000000010C0000-0x000000000148E000-memory.dmp

Filesize
3.8MB

Download
memory/3068-1-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/3068-2-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/3068-3-0x0000000000EE0000-0x0000000000F92000-memory.dmp

Filesize
712KB

Download
memory/3068-4-0x0000000005250000-0x0000000005462000-memory.dmp

Filesize
2.1MB

Download
memory/3068-5-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/3068-6-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/3068-7-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/3068-8-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads