agenttesla | 4d174b72d4885a6099bb775a4cfafd62569195287d657ad23b42019a4761d698

General

Target

Debug.rar
Size

1.5MB
MD5

793fa8a48839b30426a57924e9708e7b
SHA1

53e38c7556390ba84bf1cf5402ba7c73b9424fb8
SHA256

4d174b72d4885a6099bb775a4cfafd62569195287d657ad23b42019a4761d698
SHA512

7c45128232bc215916fb64db977b7105c064568bf482cb2193f9530e2d7738e91cbcd50a58989ae11c412abafb82b4cabdc17509b32fbcf45066aae27444497d
SSDEEP

24576:n1KK6ImbokiLRq3dieSQiua9oxaAPaNTEZc/uhSLSYcNt/V9Dvn+WfGqqUFiygUl:ncCoo5L4Nn/s+xRPa8cY9DvnHbrkyUf8

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023509-12.dat	family_agenttesla
behavioral1/memory/2092-15-0x00000000055B0000-0x00000000057C4000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

pid	Process
2092	WindowsFormsApp2.exe
4204	WindowsFormsApp2.exe

Loads dropped DLL 8 IoCs

pid	Process
2092	WindowsFormsApp2.exe
2092	WindowsFormsApp2.exe
2092	WindowsFormsApp2.exe
2092	WindowsFormsApp2.exe
4204	WindowsFormsApp2.exe
4204	WindowsFormsApp2.exe
4204	WindowsFormsApp2.exe
4204	WindowsFormsApp2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsFormsApp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsFormsApp2.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	WindowsFormsApp2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	WindowsFormsApp2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WindowsFormsApp2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	WindowsFormsApp2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	WindowsFormsApp2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WindowsFormsApp2.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1548	7zG.exe
Token: 35	1548	7zG.exe
Token: SeSecurityPrivilege	1548	7zG.exe
Token: SeSecurityPrivilege	1548	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1548	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5068	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Debug.rar
1⤵
- Modifies registry class
PID:3248

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:720

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Debug\" -spe -an -ai#7zMap9388:68:7zEvent7805
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1548

C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe
"C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2092

C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe
"C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsFormsApp2.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\Desktop\Debug\Guna.UI2.dll

Filesize
2.1MB

MD5
c19e9e6a4bc1b668d19505a0437e7f7e

SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa

SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

Download Submit
C:\Users\Admin\Desktop\Debug\Siticone.UI.dll

Filesize
1.3MB

MD5
750c58af2e56b6addecffcf152520ab8

SHA1
14995e7f1d12498606d9d209d78d55fe6fd87802

SHA256
27c56a28cbde094157206da1bfcd7a395111ab97b8a5ff600b11c2175dcefb26

SHA512
2179790e23f61b3dfea828457f8609279c70b1e071cddc73b1dbda02caa664e0aae2553fc24a4956f9e89c477d66b1a704bde26fa23bc6db26c19e18db00abb5

Download Submit
C:\Users\Admin\Desktop\Debug\WindowsFormsApp2.exe

Filesize
504KB

MD5
7e873ea844ca676ad0daaa3ab3ea18f0

SHA1
62a93ae492a92e2dbd079f7a6fc8ebfd2ffc64ee

SHA256
9d9a558671f4b14e8edf2b62c26db0535de697dc181f5954b9e648b7e007a513

SHA512
9c65c7476a60b6d8584b2d4c2c20a7038deac1b20ef51d335191364bed33eef0d74cfbf25e8f591fca5e763d299577557971354c9d5c795c6f53c2f6522a9848

Download Submit
memory/2092-8-0x0000000000130000-0x00000000001B4000-memory.dmp

Filesize
528KB

Download
memory/2092-9-0x0000000005000000-0x00000000055A4000-memory.dmp

Filesize
5.6MB

Download
memory/2092-10-0x0000000004A50000-0x0000000004AE2000-memory.dmp

Filesize
584KB

Download
memory/2092-11-0x0000000004D30000-0x0000000004D3A000-memory.dmp

Filesize
40KB

Download
memory/2092-15-0x00000000055B0000-0x00000000057C4000-memory.dmp

Filesize
2.1MB

Download
memory/2092-19-0x0000000008BB0000-0x0000000008CFE000-memory.dmp

Filesize
1.3MB

Download
memory/2092-20-0x00000000089B0000-0x00000000089C4000-memory.dmp

Filesize
80KB

Download
memory/4204-28-0x0000000008B30000-0x0000000008B44000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing