agenttesla | ecace832b0e30b5a54e6af43bd5a990ba0ffd4ecd549b6ca6597332f073579e3

General

Target

Loader.exe
Size

30.5MB
MD5

6f6d0e09fae7de66a3547c93dd3e7c97
SHA1

e42a226083e178e9d40bb0c52ece216ee7e48627
SHA256

a216b785458dfab3b50cb6203d486eeeb23938b34df97da29ac60a306c4668ae
SHA512

d2644ebe5bac6632e7e3ef6626b38af742be1e1cc56b163dd4edf3910857383949bc7e05f1b78037c1191c1f22d158e896a4b2b850bef8485f47fceeca89f7e1
SSDEEP

786432:8S9UdJ7EOnWdQb/0cVWXXS9UdJ7EOnWdQb/0cVW:8S9UH7EOWd6/fCS9UH7EOWd6/f

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/3868-30-0x0000000009F30000-0x000000000A144000-memory.dmp	family_agenttesla

Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Loader.exe
Executes dropped EXE 2 IoCs

Processes:

gqg1.exedestroyex.exe

pid process

3804 gqg1.exe
2760 destroyex.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Loader.exe

pid	process
3804	gqg1.exe
2760	destroyex.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

gqg1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	gqg1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

13 raw.githubusercontent.com
14 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

908 timeout.exe

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com

pid	process
908	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Loader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Loader.exe

description pid process

Token: SeDebugPrivilege 3868 Loader.exe

description	pid	process
Token: SeDebugPrivilege	3868	Loader.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Loader.exegqg1.execmd.exe

description	pid	process	target process
PID 3868 wrote to memory of 3804	3868	Loader.exe	gqg1.exe
PID 3868 wrote to memory of 3804	3868	Loader.exe	gqg1.exe
PID 3868 wrote to memory of 2760	3868	Loader.exe	destroyex.exe
PID 3868 wrote to memory of 2760	3868	Loader.exe	destroyex.exe
PID 3804 wrote to memory of 4272	3804	gqg1.exe	cmd.exe
PID 3804 wrote to memory of 4272	3804	gqg1.exe	cmd.exe
PID 4272 wrote to memory of 908	4272	cmd.exe	timeout.exe
PID 4272 wrote to memory of 908	4272	cmd.exe	timeout.exe
PID 4272 wrote to memory of 1104	4272	cmd.exe	tree.com
PID 4272 wrote to memory of 1104	4272	cmd.exe	tree.com
PID 4272 wrote to memory of 1172	4272	cmd.exe	cmd.exe
PID 4272 wrote to memory of 1172	4272	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\gqg1.exe
  "C:\Users\gqg1.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c "Loading.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\system32\timeout.exe
      timeout 2
      4⤵
      Delays execution with timeout.exe
      PID:908
  - - C:\Windows\system32\tree.com
      tree
      4⤵
      PID:1104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "PROMPT $H&FOR %B in (1) DO REM"
      4⤵
      PID:1172
- C:\Users\destroyex.exe
  "C:\Users\destroyex.exe"
  2⤵
  - Executes dropped EXE
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Loading.bat

Filesize
760B

MD5
ea38c2801e8977ed94a056891fa8dce5

SHA1
852e1eab60f2181632b5194e609b30ee0be6c3a2

SHA256
dc677aa5032de05787f3c903d3ae8a4ae81a65c1ba4b7cb0749a02f59c4f00e4

SHA512
33840dd13fb1d32b0ca5464a6bfef3ff958abd4f2097ec0f6d22d9d37d6abe5668e0cac133af855a1ace0edb1f92fcc0d3e27036aa7704fbf0708a1e1a2c48c7

Download Submit
C:\Users\destroyex.exe

Filesize
60KB

MD5
714f0bf52a974abd6f6c76c0cbcde33d

SHA1
47803c70fb58666351961c53a35df7850205037b

SHA256
76ae57f5946515226c055a7809bf85001a091242b1da2433e815db43243c3230

SHA512
deff8a6266aacd140c29d538d92bce85dead414893a9428397c05ede5e6c2d0b5c1b885b0b787cc24ed2aae176cc5e4ef3ca6eeb92275580a96cd79df3caf9c2

Download Submit
C:\Users\gqg1.exe

Filesize
154KB

MD5
90f67c314f946a7720132a4f1da936e3

SHA1
d2cbb8ae3f569882ebc4dbaf050d34725a8da9b0

SHA256
d7acfd22e11639ce7f74f30beb43b553beead50dd4fbe662d46628841f6bc139

SHA512
15ab36862c3e4ac88631029175286d8356aaebcbbdcf9e03dcefc2c9dd88fbd3e4e39b7ca5688c4eec94e2af410197c6784fa6566f4f908b4c8f66839e52795e

Download Submit
memory/2760-24-0x00007FF6CC260000-0x00007FF6CC285000-memory.dmp

Filesize
148KB

Download
memory/3868-3-0x0000000006990000-0x0000000006A22000-memory.dmp

Filesize
584KB

Download
memory/3868-4-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/3868-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/3868-2-0x0000000006F40000-0x00000000074E4000-memory.dmp

Filesize
5.6MB

Download
memory/3868-1-0x0000000000100000-0x0000000001F8E000-memory.dmp

Filesize
30.6MB

Download
memory/3868-28-0x0000000009B90000-0x0000000009BA2000-memory.dmp

Filesize
72KB

Download
memory/3868-29-0x0000000009BC0000-0x0000000009BCA000-memory.dmp

Filesize
40KB

Download
memory/3868-30-0x0000000009F30000-0x000000000A144000-memory.dmp

Filesize
2.1MB

Download
memory/3868-31-0x0000000004250000-0x000000000428C000-memory.dmp

Filesize
240KB

Download
memory/3868-32-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/3868-33-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads