agenttesla | ea8779bb436427af92289d75ee7510e1784bf6772729091abcc350cdf773058c

Resubmissions

22/09/2024, 09:23

240922-lcmh6ssclm 9

21/09/2024, 08:10

21/09/2024, 07:38

28/07/2024, 17:11

18/06/2024, 14:08

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240708-de
resource tags

arch:x64arch:x86image:win7-20240708-delocale:de-deos:windows7-x64systemwindows
submitted
28/07/2024, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WZAgent.exe
Size

26.2MB
MD5

4cf978f2749291d8d9a722cf8bd9d9ea
SHA1

2580a9be8bc6994987cc4951a4690efd7077ea92
SHA256

ea8779bb436427af92289d75ee7510e1784bf6772729091abcc350cdf773058c
SHA512

d1ba2ea6a06cf5241bd26319b7bd2da7cb3ca0453496703fa66413cc56edf9893414a970dfb67451cfb85ef735305986958ba852287b3dc63b7cf28ab351d61d
SSDEEP

786432:Ov1EWULlsocwpd3XHEquH6rdEePFG/7vG43EY6:Ov1EWusor8j6r714

Score

10^/10

agenttesla agilenet evasion keylogger spyware stealer themida trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/2736-33-0x0000000020E00000-0x0000000020FF2000-memory.dmp	family_agenttesla

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WZAgent.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WZAgent.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WZAgent.exe

Executes dropped EXE 2 IoCs

pid	Process
532	ZipExtractor.exe
2456	WZAgent.exe

Loads dropped DLL 3 IoCs

pid	Process
2736	WZAgent.exe
532	ZipExtractor.exe
2456	WZAgent.exe

Obfuscated with Agile.Net obfuscator 5 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2736-6-0x0000000000400000-0x0000000002606000-memory.dmp	agile_net
behavioral1/memory/2736-7-0x0000000000400000-0x0000000002606000-memory.dmp	agile_net
behavioral1/memory/2736-54-0x0000000000400000-0x0000000002606000-memory.dmp	agile_net
behavioral1/memory/2456-67-0x0000000000400000-0x0000000002788000-memory.dmp	agile_net
behavioral1/memory/2456-68-0x0000000000400000-0x0000000002788000-memory.dmp	agile_net

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2736-6-0x0000000000400000-0x0000000002606000-memory.dmp	themida
behavioral1/memory/2736-7-0x0000000000400000-0x0000000002606000-memory.dmp	themida
behavioral1/files/0x001500000001739f-12.dat	themida
behavioral1/memory/2736-15-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp	themida
behavioral1/memory/2736-18-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp	themida
behavioral1/memory/2736-30-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp	themida
behavioral1/memory/2736-42-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp	themida
behavioral1/memory/2736-52-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp	themida
behavioral1/memory/2736-54-0x0000000000400000-0x0000000002606000-memory.dmp	themida
behavioral1/files/0x00080000000173a3-61.dat	themida
behavioral1/memory/2456-67-0x0000000000400000-0x0000000002788000-memory.dmp	themida
behavioral1/memory/2456-68-0x0000000000400000-0x0000000002788000-memory.dmp	themida
behavioral1/memory/2456-77-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp	themida
behavioral1/memory/2456-90-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp	themida
behavioral1/memory/2456-94-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp	themida
behavioral1/memory/2456-96-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp	themida
behavioral1/memory/2456-104-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WZAgent.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2736	WZAgent.exe
2736	WZAgent.exe
2456	WZAgent.exe
2456	WZAgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
532	ZipExtractor.exe
2736	WZAgent.exe
2736	WZAgent.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	WZAgent.exe
Token: SeDebugPrivilege	532	ZipExtractor.exe
Token: SeDebugPrivilege	2456	WZAgent.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 532	2736	WZAgent.exe	31
PID 2736 wrote to memory of 532	2736	WZAgent.exe	31
PID 2736 wrote to memory of 532	2736	WZAgent.exe	31
PID 532 wrote to memory of 2456	532	ZipExtractor.exe	32
PID 532 wrote to memory of 2456	532	ZipExtractor.exe	32
PID 532 wrote to memory of 2456	532	ZipExtractor.exe	32

C:\Users\Admin\AppData\Local\Temp\WZAgent.exe
"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe
  "C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe" --input C:\Users\Admin\AppData\Local\Temp\WZAgent.zip --output C:\Users\Admin\AppData\Local\Temp --current-exe C:\Users\Admin\AppData\Local\Temp\WZAgent.exe --updated-exe WZAgent.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\WZAgent.exe
    "C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a4faef0393d1fec8d885afebd0bc3ec

SHA1
9826250db2b507a94177bad7b214016a72906267

SHA256
7655863d09906a3b6e435f79b68a55b10bffe423219ecc4d1df556a0d9e8b3bd

SHA512
82bf7a9edebe4d347a9ae4205f5a9b16aa1a6cdfdc76bfa652d472afaf92d1be85a664ad8c2d35a999495fa9301642f2933204b390903ac4d2fb6def723f00b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab34E6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZAgent.exe

Filesize
28.1MB

MD5
9a5a67984bec57723b1e013f38eaa258

SHA1
aa0868e6cd489e27b57c9bae31bc9c99b270bad1

SHA256
81a363f651c2ce2a54c62c637acebf3b23c163854cf1a28b3c3494a649d14a7d

SHA512
ce702691d2be9db0961967d67ee69db99992967730bea696f620d4124267eea41b0a7e8314b182a2646da76c4177140bba332ae5334d69f7a688bd29d0a79154

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZAgent.zip

Filesize
27.9MB

MD5
e7c00475b006290804ec00a478859f2f

SHA1
259809bb20937d7226b766e7d42a3a6ede588d0b

SHA256
e6d38f3b192ae3b83f889826db2f51438fe4975351bf3adc8f4138dc0fb2e807

SHA512
3c2ce526021e7241393d8ed7dab174a4340aad5cb39246db3a5f6234409ba2440db9ea561da71e06d811b19c9756456eb5ae0adf37e7d8bb56009a2a9b292efa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe

Filesize
99KB

MD5
6c8a405b8243837682378cfbefa92001

SHA1
21a120c6fcca8aff536cb896586131376497bc86

SHA256
a76c4d20c78a6b0e563567a215e14a05525c316bf4eb92e7d11de7e24ae0b7c2

SHA512
12a75d7c4f9af4209a673c994609a15f464368e24eb61e8251a3f8c32a371825809f8197ea47428a150bc0c8ca7b5278c88c63cf9c20a7e60a95f4f98eea3de7

Download Submit
\Users\Admin\AppData\Local\Temp\883e7960-a7ed-4b7f-b414-8446eabbb7d5\AgileDotNetRT64.dll

Filesize
4.0MB

MD5
8e839b26c5efed6f41d6e854e5e97f5b

SHA1
5cb71374f72bf6a63ff65a6cda57ff66c3e54836

SHA256
1f2489fcd11f85db723f977f068988e81ed28581a4aec352ba4a2dc31419a011

SHA512
92446d7c2ccf41408d0a6be604b9aba3050192b40be887c2cee8f9aea0bd855503d6b827a8bdd554addd8d7c8ec947033f49060db493f756c3b2b70c04a17093

Download Submit
memory/532-50-0x0000000000280000-0x000000000029E000-memory.dmp

Filesize
120KB

Download
memory/532-63-0x000000001D5B0000-0x000000001F938000-memory.dmp

Filesize
35.5MB

Download
memory/2456-86-0x000007FEF66E0000-0x000007FEF680C000-memory.dmp

Filesize
1.2MB

Download
memory/2456-87-0x000000001FF50000-0x0000000020FB0000-memory.dmp

Filesize
16.4MB

Download
memory/2456-88-0x000000001DC40000-0x000000001DCB6000-memory.dmp

Filesize
472KB

Download
memory/2456-77-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp

Filesize
11.2MB

Download
memory/2456-68-0x0000000000400000-0x0000000002788000-memory.dmp

Filesize
35.5MB

Download
memory/2456-67-0x0000000000400000-0x0000000002788000-memory.dmp

Filesize
35.5MB

Download
memory/2456-90-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp

Filesize
11.2MB

Download
memory/2456-94-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp

Filesize
11.2MB

Download
memory/2456-96-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp

Filesize
11.2MB

Download
memory/2456-104-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp

Filesize
11.2MB

Download
memory/2736-28-0x000007FEF6A90000-0x000007FEF6BBC000-memory.dmp

Filesize
1.2MB

Download
memory/2736-32-0x000000001DA90000-0x000000001DB06000-memory.dmp

Filesize
472KB

Download
memory/2736-38-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2736-39-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2736-40-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2736-42-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp

Filesize
11.2MB

Download
memory/2736-36-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2736-34-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2736-53-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2736-52-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp

Filesize
11.2MB

Download
memory/2736-54-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2736-35-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2736-33-0x0000000020E00000-0x0000000020FF2000-memory.dmp

Filesize
1.9MB

Download
memory/2736-37-0x00000000047E0000-0x00000000047E8000-memory.dmp

Filesize
32KB

Download
memory/2736-31-0x000000001FFA0000-0x0000000020DF8000-memory.dmp

Filesize
14.3MB

Download
memory/2736-30-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp

Filesize
11.2MB

Download
memory/2736-0-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2736-18-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp

Filesize
11.2MB

Download
memory/2736-16-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2736-15-0x000007FEEEF60000-0x000007FEEFA89000-memory.dmp

Filesize
11.2MB

Download
memory/2736-8-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2736-7-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2736-6-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2736-3-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download
memory/2736-1-0x000007FEFDA03000-0x000007FEFDA04000-memory.dmp

Filesize
4KB

Download
memory/2736-2-0x000007FEFD9F0000-0x000007FEFDA5C000-memory.dmp

Filesize
432KB

Download