agenttesla | cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1

General

Target

cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe
Size

444KB
MD5

d31b2440677629f677088e97981aa638
SHA1

43b91b1c7b064294440f9d944166a65e0db48e14
SHA256

cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1
SHA512

3598327a3827742d67f1794acf1eda28ded22ed7ac92cc69de7866b20903a97da6782b8908650e83825f290f900518157f398485f45f9f5c6ff46bf5c885b954
SSDEEP

6144:HoPu6sbxtqQwDCVmpXdaZwVGnESPmP2yyT5lq1aR8a4XZLCWR7pUZ:PjqYZwV3SPm7yT5Qw+mWtaZ

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

AgentTesla payload 4 IoCs

resource	yara_rule
behavioral1/memory/2136-4-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2136-6-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2136-7-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2136-14-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 2136	2360	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	32

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2136	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe
2136	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2360	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2912	2360	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	30
PID 2360 wrote to memory of 2912	2360	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	30
PID 2360 wrote to memory of 2912	2360	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	30
PID 2360 wrote to memory of 2912	2360	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	30
PID 2360 wrote to memory of 2136	2360	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	32
PID 2360 wrote to memory of 2136	2360	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	32
PID 2360 wrote to memory of 2136	2360	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	32
PID 2360 wrote to memory of 2136	2360	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	32
PID 2360 wrote to memory of 2136	2360	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	32
PID 2912 wrote to memory of 2552	2912	cmd.exe	33
PID 2912 wrote to memory of 2552	2912	cmd.exe	33
PID 2912 wrote to memory of 2552	2912	cmd.exe	33
PID 2912 wrote to memory of 2552	2912	cmd.exe	33
PID 2136 wrote to memory of 1244	2136	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	34
PID 2136 wrote to memory of 1244	2136	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	34
PID 2136 wrote to memory of 1244	2136	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	34
PID 2136 wrote to memory of 1244	2136	cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe	34

C:\Users\Admin\AppData\Local\Temp\cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe
"C:\Users\Admin\AppData\Local\Temp\cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\5266164ba3264381885ad8ba377bd237.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\5266164ba3264381885ad8ba377bd237.xml"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2552
- C:\Users\Admin\AppData\Local\Temp\cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe
  "C:\Users\Admin\AppData\Local\Temp\cf9b22d4b9bd24c826d360840e3fba7d40ce49d636902980655c328cb118c1d1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 520
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5266164ba3264381885ad8ba377bd237.xml

Filesize
1KB

MD5
dfdb9d18a06ec22909b59752f9a855b7

SHA1
d9d0b69b43f120034ee5fff302d35619024c08b1

SHA256
1254918a08627f9d173cf444afe4a11daa8f7cc75b72e0ae05eb2af80dafea1c

SHA512
1db0fa573a83c0b95e4c732a1c5274c740e8ff4228b653b3574d2654b474e79f747195a68ff5ece30613f4b1540793e8652bfe2f4b9464b6fc49bed093df218b

Download Submit
memory/1244-15-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2136-12-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2136-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2136-8-0x0000000074A31000-0x0000000074A32000-memory.dmp

Filesize
4KB

Download
memory/2136-6-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2136-13-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2136-11-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2136-10-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2136-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2136-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2136-16-0x0000000074A30000-0x0000000074FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2360-3-0x00000000001D0000-0x00000000002D0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads