agenttesla | 3339684c5ea9d82228af499585907e9eab5a99ecaf9fda63518fa112ba394527

General

Target

WZAgent.exe
Size

9.4MB
MD5

86137e9ed8313472f22f6e523d8ad219
SHA1

49e66323a9ad23e49569edfb0f4ca2d3c67ef61b
SHA256

e25599248cbab0ee17db46769aefac345098d9a066192f89c0072a38c726f50a
SHA512

f06d574d3a5040303ef9a246a73163675169f8e5086835279a376ab14442f3f38afe70ea31fc68357845e28e3872e94e9b8f67694a3b6fc288d5b85d7d2975d6
SSDEEP

196608:/ntsxE5JupJ6XmXIY3AmEXxeA32ngfgZ5Kv+yWGqL+aewN8L:/nts+Upam4OAmEXn4Z5C+RLN

Score

10^/10

agenttesla agilenet evasion keylogger spyware stealer themida trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3788-6-0x000001DE7B040000-0x000001DE7B232000-memory.dmp	family_agenttesla

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

WZAgent.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ WZAgent.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WZAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WZAgent.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WZAgent.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WZAgent.exeZipExtractor.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WZAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ZipExtractor.exe

Executes dropped EXE 2 IoCs

Processes:

ZipExtractor.exeWZAgent.exe

pid process

1808 ZipExtractor.exe
3268 WZAgent.exe
Loads dropped DLL 1 IoCs

Processes:

WZAgent.exe

pid process

3268 WZAgent.exe

pid	process
1808	ZipExtractor.exe
3268	WZAgent.exe

pid	process
3268	WZAgent.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3268-49-0x0000000000400000-0x00000000023C0000-memory.dmp	agile_net
behavioral2/memory/3268-50-0x0000000000400000-0x00000000023C0000-memory.dmp	agile_net
behavioral2/memory/3268-78-0x0000000000400000-0x00000000023C0000-memory.dmp	agile_net

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WZAgent.exe	themida
behavioral2/memory/3268-49-0x0000000000400000-0x00000000023C0000-memory.dmp	themida
behavioral2/memory/3268-50-0x0000000000400000-0x00000000023C0000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\67086c7f-8595-4935-b455-2a765bd8e033\AgileDotNetRT64.dll	themida
behavioral2/memory/3268-57-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp	themida
behavioral2/memory/3268-59-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp	themida
behavioral2/memory/3268-63-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp	themida
behavioral2/memory/3268-65-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp	themida
behavioral2/memory/3268-67-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp	themida
behavioral2/memory/3268-71-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp	themida
behavioral2/memory/3268-73-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp	themida
behavioral2/memory/3268-77-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp	themida
behavioral2/memory/3268-78-0x0000000000400000-0x00000000023C0000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

WZAgent.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WZAgent.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

WZAgent.exe

pid process

3268 WZAgent.exe
3268 WZAgent.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

WZAgent.exeZipExtractor.exe

pid process

3788 WZAgent.exe
3788 WZAgent.exe
1808 ZipExtractor.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WZAgent.exeZipExtractor.exeWZAgent.exe

description pid process

Token: SeDebugPrivilege 3788 WZAgent.exe
Token: SeDebugPrivilege 1808 ZipExtractor.exe
Token: SeDebugPrivilege 3268 WZAgent.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WZAgent.exe

pid	process
3268	WZAgent.exe
3268	WZAgent.exe

pid	process
3788	WZAgent.exe
3788	WZAgent.exe
1808	ZipExtractor.exe

description	pid	process
Token: SeDebugPrivilege	3788	WZAgent.exe
Token: SeDebugPrivilege	1808	ZipExtractor.exe
Token: SeDebugPrivilege	3268	WZAgent.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

WZAgent.exeZipExtractor.exe

description	pid	process	target process
PID 3788 wrote to memory of 1808	3788	WZAgent.exe	ZipExtractor.exe
PID 3788 wrote to memory of 1808	3788	WZAgent.exe	ZipExtractor.exe
PID 1808 wrote to memory of 3268	1808	ZipExtractor.exe	WZAgent.exe
PID 1808 wrote to memory of 3268	1808	ZipExtractor.exe	WZAgent.exe

C:\Users\Admin\AppData\Local\Temp\WZAgent.exe
"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe
"C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe" --input C:\Users\Admin\AppData\Local\Temp\WZAgent.zip --output C:\Users\Admin\AppData\Local\Temp --current-exe C:\Users\Admin\AppData\Local\Temp\WZAgent.exe --updated-exe WZAgent.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Users\Admin\AppData\Local\Temp\WZAgent.exe
"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WZAgent.exe.log
Filesize
2KB

MD5
40e3389bf879531ea7720d495094e387

SHA1
20702b17222f07500923140f88d9c4b521552f9a

SHA256
1a8838d6bc3b922472036773fb225d54c4833ab3ec2b1df3fd5baaf7812f08a3

SHA512
5cfd540de97bfed26ca1897daebeca9b4c6de57a43cdccfb127e6fdbc8b1850967be70e86376ab813f1db431f3a585475f98ad4007b57f757e81bbc75a7d23e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\67086c7f-8595-4935-b455-2a765bd8e033\AgileDotNetRT64.dll
Filesize
4.0MB

MD5
8e839b26c5efed6f41d6e854e5e97f5b

SHA1
5cb71374f72bf6a63ff65a6cda57ff66c3e54836

SHA256
1f2489fcd11f85db723f977f068988e81ed28581a4aec352ba4a2dc31419a011

SHA512
92446d7c2ccf41408d0a6be604b9aba3050192b40be887c2cee8f9aea0bd855503d6b827a8bdd554addd8d7c8ec947033f49060db493f756c3b2b70c04a17093

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZAgent.exe
Filesize
24.3MB

MD5
2812e3412cdfde43d093addd686f7541

SHA1
6044220194e89f9e4054ae049708aa364f4a2557

SHA256
fc7eb157162927439876c4562b5384cc68db185bfcf91335c8c7edc1d2dcf5ff

SHA512
8fa3035a2959854971539d0b62594c152c25417a6c55581eb91510730aed661e97698685a3566f7ade939cb1c55429f6b73fd9159f04de6e78571e55de2148a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZAgent.zip
Filesize
24.1MB

MD5
79dec0503e6653f7fa51aac10ab8af28

SHA1
a091c55d56855f852d89d4c552ed3c28c35229f3

SHA256
8a3dce3d2206ef5cfcc674d7c537ecdb0fb7f3915214b0ab6a6a39aaa14aaf5e

SHA512
6416ef9201c56e2bf3e87445ca042a4fcf8e6a8ad8d5b0ac012a2329d0eea9ea045b2bc6f0d7bdefc05685c3be68b0b20946d91526f75728a5b4b8b4524c8e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe
Filesize
99KB

MD5
6c8a405b8243837682378cfbefa92001

SHA1
21a120c6fcca8aff536cb896586131376497bc86

SHA256
a76c4d20c78a6b0e563567a215e14a05525c316bf4eb92e7d11de7e24ae0b7c2

SHA512
12a75d7c4f9af4209a673c994609a15f464368e24eb61e8251a3f8c32a371825809f8197ea47428a150bc0c8ca7b5278c88c63cf9c20a7e60a95f4f98eea3de7

Download Submit
memory/1808-43-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

Filesize
10.8MB

Download
memory/1808-24-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

Filesize
10.8MB

Download
memory/1808-28-0x000001F9D8B60000-0x000001F9D8B6A000-memory.dmp

Filesize
40KB

Download
memory/1808-27-0x000001F9DB7C0000-0x000001F9DB7D2000-memory.dmp

Filesize
72KB

Download
memory/1808-21-0x000001F9BE520000-0x000001F9BE53E000-memory.dmp

Filesize
120KB

Download
memory/1808-22-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

Filesize
10.8MB

Download
memory/3268-50-0x0000000000400000-0x00000000023C0000-memory.dmp

Filesize
31.8MB

Download
memory/3268-66-0x0000000000400000-0x00000000023C0000-memory.dmp

Filesize
31.8MB

Download
memory/3268-78-0x0000000000400000-0x00000000023C0000-memory.dmp

Filesize
31.8MB

Download
memory/3268-77-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp

Filesize
11.2MB

Download
memory/3268-75-0x000000001DC50000-0x000000001DCC6000-memory.dmp

Filesize
472KB

Download
memory/3268-74-0x000000001DB10000-0x000000001DBC2000-memory.dmp

Filesize
712KB

Download
memory/3268-73-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp

Filesize
11.2MB

Download
memory/3268-71-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp

Filesize
11.2MB

Download
memory/3268-44-0x0000000000400000-0x00000000023C0000-memory.dmp

Filesize
31.8MB

Download
memory/3268-67-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp

Filesize
11.2MB

Download
memory/3268-49-0x0000000000400000-0x00000000023C0000-memory.dmp

Filesize
31.8MB

Download
memory/3268-65-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp

Filesize
11.2MB

Download
memory/3268-63-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp

Filesize
11.2MB

Download
memory/3268-57-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp

Filesize
11.2MB

Download
memory/3268-59-0x00007FFC6F980000-0x00007FFC704A9000-memory.dmp

Filesize
11.2MB

Download
memory/3268-60-0x00007FFC72F10000-0x00007FFC7305E000-memory.dmp

Filesize
1.3MB

Download
memory/3268-61-0x0000000020460000-0x00000000210E6000-memory.dmp

Filesize
12.5MB

Download
memory/3788-1-0x000001DE77400000-0x000001DE77D62000-memory.dmp

Filesize
9.4MB

Download
memory/3788-6-0x000001DE7B040000-0x000001DE7B232000-memory.dmp

Filesize
1.9MB

Download
memory/3788-26-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

Filesize
10.8MB

Download
memory/3788-2-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

Filesize
10.8MB

Download
memory/3788-0-0x00007FFC74863000-0x00007FFC74865000-memory.dmp

Filesize
8KB

Download
memory/3788-3-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

Filesize
10.8MB

Download
memory/3788-7-0x00007FFC74860000-0x00007FFC75321000-memory.dmp

Filesize
10.8MB

Download
memory/3788-4-0x000001DE7A4C0000-0x000001DE7AF46000-memory.dmp

Filesize
10.5MB

Download
memory/3788-5-0x000001DE7A1D0000-0x000001DE7A246000-memory.dmp

Filesize
472KB

Download
memory/3788-25-0x000001DE7D760000-0x000001DE7D862000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads