agenttesla | 58806e1209b95a365b5a0f4868f5c964c99f05fa33a3547228801ed123e27c4a

General

Target

Zwle Perm V3.0.0.2.exe
Size

2.8MB
MD5

77a9cc4377538f59a59003bd77cc994b
SHA1

f516c856119b0fef681a491e40d560a8e0867d30
SHA256

58806e1209b95a365b5a0f4868f5c964c99f05fa33a3547228801ed123e27c4a
SHA512

0279fe79a4bc484b08423453a6b572489506b27f8bc7caaba8709d3aef8fc7142ff0ab5b1c140076807b1231cc78908e956c7ac03e2a136a9aa46e4e730bfdcb
SSDEEP

49152:6ZB1G8YlKsep9Xeuv7jYyPlYEyO3VfpUhhkTngHk88tlJciK2ZrWq7Lx+6zz:g3GHKseiu3zPlYERNpU3MgE88632ZrDv

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Guna.UI2.dll	family_agenttesla
behavioral2/memory/2116-28-0x0000000006F60000-0x0000000007174000-memory.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Zwle Perm.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Zwle Perm.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Zwle Perm.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Zwle Perm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	Zwle Perm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	Zwle Perm.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zwle Perm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Zwle Perm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Zwle Perm.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zwle Perm V3.0.0.2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	Zwle Perm V3.0.0.2.exe

Executes dropped EXE 1 IoCs

Processes:

Zwle Perm.exe

pid process

2116 Zwle Perm.exe
Loads dropped DLL 2 IoCs

Processes:

Zwle Perm.exe

pid process

2116 Zwle Perm.exe
2116 Zwle Perm.exe

pid	process
2116	Zwle Perm.exe

pid	process
2116	Zwle Perm.exe
2116	Zwle Perm.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Zwle Perm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Zwle Perm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Zwle Perm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1816 2116 WerFault.exe Zwle Perm.exe

pid	pid_target	process	target process
1816	2116	WerFault.exe	Zwle Perm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zwle Perm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Zwle Perm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Zwle Perm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Zwle Perm.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Zwle Perm.exe

pid process

2116 Zwle Perm.exe
2116 Zwle Perm.exe
2116 Zwle Perm.exe
2116 Zwle Perm.exe
2116 Zwle Perm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Zwle Perm.exe

description pid process

Token: SeDebugPrivilege 2116 Zwle Perm.exe

pid	process
2116	Zwle Perm.exe
2116	Zwle Perm.exe
2116	Zwle Perm.exe
2116	Zwle Perm.exe
2116	Zwle Perm.exe

description	pid	process
Token: SeDebugPrivilege	2116	Zwle Perm.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Zwle Perm V3.0.0.2.exe

description	pid	process	target process
PID 4884 wrote to memory of 2116	4884	Zwle Perm V3.0.0.2.exe	Zwle Perm.exe
PID 4884 wrote to memory of 2116	4884	Zwle Perm V3.0.0.2.exe	Zwle Perm.exe
PID 4884 wrote to memory of 2116	4884	Zwle Perm V3.0.0.2.exe	Zwle Perm.exe

C:\Users\Admin\AppData\Local\Temp\Zwle Perm V3.0.0.2.exe
"C:\Users\Admin\AppData\Local\Temp\Zwle Perm V3.0.0.2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4884

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zwle Perm.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zwle Perm.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1904
3⤵
- Program crash
PID:1816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2116 -ip 2116
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

5

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Guna.UI2.dll

Filesize
2.1MB

MD5
c19e9e6a4bc1b668d19505a0437e7f7e

SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa

SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zwle Perm.exe

Filesize
1.6MB

MD5
f72ac665049a7d1047c92a148afe6909

SHA1
b0ce4898be969862c872c5e95408658ad9eb2636

SHA256
bf7e42bdccfb470b2f0cce04242c0e0def2a45a9aff19bd91a7de2bfde36573c

SHA512
8a1fafbcff9d750da5acd87bccbf2270766a19af2963588b63cf750cac54a51ef150b9c99d26ccdd8fbcca623e39d89223e6fc9660aac5bd6ee20856ded320ef

Download Submit
memory/2116-21-0x0000000005AF0000-0x0000000005B82000-memory.dmp

Filesize
584KB

Download
memory/2116-18-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/2116-19-0x0000000005900000-0x0000000005A12000-memory.dmp

Filesize
1.1MB

Download
memory/2116-20-0x0000000005FC0000-0x0000000006564000-memory.dmp

Filesize
5.6MB

Download
memory/2116-17-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2116-22-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/2116-23-0x0000000006B70000-0x0000000006B82000-memory.dmp

Filesize
72KB

Download
memory/2116-24-0x0000000006CC0000-0x0000000006CCA000-memory.dmp

Filesize
40KB

Download
memory/2116-16-0x0000000000D80000-0x0000000000F2E000-memory.dmp

Filesize
1.7MB

Download
memory/2116-28-0x0000000006F60000-0x0000000007174000-memory.dmp

Filesize
2.1MB

Download
memory/2116-29-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads