agenttesla | 09324a05739bbbf1b1d972990bfe9716e989c5787a06bcb520c887b6ac13c6b3

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-05-2022 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Output.js
Size

3.0MB
MD5

80765412e06741deb5560dd14a0356cf
SHA1

2a2a113f4d95a7f12d9e975fc4a91e3ee1797da0
SHA256

7299b2ba8e372197e9fdf8e4cb2515723a7def421d39e275367603e1cae9e823
SHA512

f41dfb4d1ad1803b574b8c521c3ca3ea2517132d5fb98b8057599d3d9e9ed188f8591ff1802f89eab108bf14395355c97367394f94c0616554f8b29e5d73f656

Score

10^/10

agenttesla darkcomet nanocore keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

95.140.125.76:4580

Mutex

bd5a019d-3359-4837-8cfa-e0eb7e162b4f

Attributes

activate_away_mode
true
backup_connection_host
95.140.125.76
backup_dns_server
buffer_size
65535
build_time
2018-08-30T12:26:08.775653636Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4580
default_group
TOBE_G
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
bd5a019d-3359-4837-8cfa-e0eb7e162b4f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
95.140.125.76
primary_dns_server
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AUDIODG.EXE	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\AUDIODG.EXE	family_agenttesla
behavioral2/memory/3848-159-0x0000000000400000-0x0000000000624000-memory.dmp	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\AUDIODG.EXE	family_agenttesla

Executes dropped EXE 6 IoCs

Processes:

OegfrTm.exefilename.exefilename.exeAUDIODG.EXETOBY_G.EXEAUDIODG.EXE

pid process

1988 OegfrTm.exe
3168 filename.exe
3848 filename.exe
3280 AUDIODG.EXE
1172 TOBY_G.EXE
3832 AUDIODG.EXE

pid	process
1988	OegfrTm.exe
3168	filename.exe
3848	filename.exe
3280	AUDIODG.EXE
1172	TOBY_G.EXE
3832	AUDIODG.EXE

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3848-150-0x0000000000400000-0x0000000000543000-memory.dmp	upx
behavioral2/memory/3848-159-0x0000000000400000-0x0000000000624000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeOegfrTm.exefilename.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	OegfrTm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	filename.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs -rr"	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

filename.exe

description pid process target process

PID 3168 set thread context of 3848 3168 filename.exe filename.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

OegfrTm.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings OegfrTm.exe

description	pid	process	target process
PID 3168 set thread context of 3848	3168	filename.exe	filename.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	OegfrTm.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

filename.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3848	filename.exe
Token: SeSecurityPrivilege	3848	filename.exe
Token: SeTakeOwnershipPrivilege	3848	filename.exe
Token: SeLoadDriverPrivilege	3848	filename.exe
Token: SeSystemProfilePrivilege	3848	filename.exe
Token: SeSystemtimePrivilege	3848	filename.exe
Token: SeProfSingleProcessPrivilege	3848	filename.exe
Token: SeIncBasePriorityPrivilege	3848	filename.exe
Token: SeCreatePagefilePrivilege	3848	filename.exe
Token: SeBackupPrivilege	3848	filename.exe
Token: SeRestorePrivilege	3848	filename.exe
Token: SeShutdownPrivilege	3848	filename.exe
Token: SeDebugPrivilege	3848	filename.exe
Token: SeSystemEnvironmentPrivilege	3848	filename.exe
Token: SeChangeNotifyPrivilege	3848	filename.exe
Token: SeRemoteShutdownPrivilege	3848	filename.exe
Token: SeUndockPrivilege	3848	filename.exe
Token: SeManageVolumePrivilege	3848	filename.exe
Token: SeImpersonatePrivilege	3848	filename.exe
Token: SeCreateGlobalPrivilege	3848	filename.exe
Token: 33	3848	filename.exe
Token: 34	3848	filename.exe
Token: 35	3848	filename.exe
Token: 36	3848	filename.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OegfrTm.exefilename.exe

pid process

1988 OegfrTm.exe
3168 filename.exe

pid	process
1988	OegfrTm.exe
3168	filename.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

wscript.exeOegfrTm.exefilename.exefilename.exe

description	pid	process	target process
PID 1940 wrote to memory of 1988	1940	wscript.exe	OegfrTm.exe
PID 1940 wrote to memory of 1988	1940	wscript.exe	OegfrTm.exe
PID 1940 wrote to memory of 1988	1940	wscript.exe	OegfrTm.exe
PID 1988 wrote to memory of 3900	1988	OegfrTm.exe	WScript.exe
PID 1988 wrote to memory of 3900	1988	OegfrTm.exe	WScript.exe
PID 1988 wrote to memory of 3900	1988	OegfrTm.exe	WScript.exe
PID 1988 wrote to memory of 3168	1988	OegfrTm.exe	filename.exe
PID 1988 wrote to memory of 3168	1988	OegfrTm.exe	filename.exe
PID 1988 wrote to memory of 3168	1988	OegfrTm.exe	filename.exe
PID 3168 wrote to memory of 3848	3168	filename.exe	filename.exe
PID 3168 wrote to memory of 3848	3168	filename.exe	filename.exe
PID 3168 wrote to memory of 3848	3168	filename.exe	filename.exe
PID 3848 wrote to memory of 3280	3848	filename.exe	AUDIODG.EXE
PID 3848 wrote to memory of 3280	3848	filename.exe	AUDIODG.EXE
PID 3848 wrote to memory of 3280	3848	filename.exe	AUDIODG.EXE
PID 3848 wrote to memory of 1172	3848	filename.exe	TOBY_G.EXE
PID 3848 wrote to memory of 1172	3848	filename.exe	TOBY_G.EXE
PID 3848 wrote to memory of 1172	3848	filename.exe	TOBY_G.EXE
PID 3848 wrote to memory of 3832	3848	filename.exe	AUDIODG.EXE
PID 3848 wrote to memory of 3832	3848	filename.exe	AUDIODG.EXE
PID 3848 wrote to memory of 3832	3848	filename.exe	AUDIODG.EXE

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Output.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\OegfrTm.exe
"C:\Users\Admin\AppData\Local\Temp\OegfrTm.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"
3⤵
- Adds Run key to start application
PID:3900

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3848

C:\Users\Admin\AppData\Local\Temp\AUDIODG.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIODG.EXE"
5⤵
- Executes dropped EXE
PID:3280

C:\Users\Admin\AppData\Local\Temp\TOBY_G.EXE
"C:\Users\Admin\AppData\Local\Temp\TOBY_G.EXE"
5⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Local\Temp\AUDIODG.EXE
"C:\Users\Admin\AppData\Local\Temp\AUDIODG.EXE"
5⤵
- Executes dropped EXE
PID:3832

C:\Users\Admin\AppData\Local\Temp\TOBY_G.EXE
"C:\Users\Admin\AppData\Local\Temp\TOBY_G.EXE"
5⤵
PID:2848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AUDIODG.EXE
Filesize
354KB

MD5
ffd86a4b0ce89322379f61c8b5b9608e

SHA1
a68c4a0ecf6f3fc8f1b1c5761179b0bff4dcef07

SHA256
81ae3119052a8e6e8283fa1a264beecd89e13a5f0486367f28b9a3e8fb99a6e1

SHA512
f88d241b125f774cb5bdcf9a11469c2d8edfdf8648242b766f40229c8ef08aba899875bbd4b9d71671acecd5b717ae836a824e8268e5df5746fd45e5811759f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIODG.EXE
Filesize
354KB

MD5
ffd86a4b0ce89322379f61c8b5b9608e

SHA1
a68c4a0ecf6f3fc8f1b1c5761179b0bff4dcef07

SHA256
81ae3119052a8e6e8283fa1a264beecd89e13a5f0486367f28b9a3e8fb99a6e1

SHA512
f88d241b125f774cb5bdcf9a11469c2d8edfdf8648242b766f40229c8ef08aba899875bbd4b9d71671acecd5b717ae836a824e8268e5df5746fd45e5811759f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AUDIODG.EXE
Filesize
354KB

MD5
ffd86a4b0ce89322379f61c8b5b9608e

SHA1
a68c4a0ecf6f3fc8f1b1c5761179b0bff4dcef07

SHA256
81ae3119052a8e6e8283fa1a264beecd89e13a5f0486367f28b9a3e8fb99a6e1

SHA512
f88d241b125f774cb5bdcf9a11469c2d8edfdf8648242b766f40229c8ef08aba899875bbd4b9d71671acecd5b717ae836a824e8268e5df5746fd45e5811759f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\OegfrTm.exe
Filesize
2.1MB

MD5
07a1e5acc43fe7ba03ef6b50d01e5c59

SHA1
787b7e16dbf1ff2bcb1681114b5ac0049c5ce6a0

SHA256
a79bdc9c32cccce861afa48e8d14c1f982f7add58e75f3ad28c7ef6ef05e9b23

SHA512
87ad49a4e01264185fc3317c40813e10702d21d80025b011ff845d893cdb4530c971ee3ce0a01522cd88e00ff88e28ba7251d3eaa8ac37794291a3fbb4674640

Download Submit
C:\Users\Admin\AppData\Local\Temp\OegfrTm.exe
Filesize
2.1MB

MD5
07a1e5acc43fe7ba03ef6b50d01e5c59

SHA1
787b7e16dbf1ff2bcb1681114b5ac0049c5ce6a0

SHA256
a79bdc9c32cccce861afa48e8d14c1f982f7add58e75f3ad28c7ef6ef05e9b23

SHA512
87ad49a4e01264185fc3317c40813e10702d21d80025b011ff845d893cdb4530c971ee3ce0a01522cd88e00ff88e28ba7251d3eaa8ac37794291a3fbb4674640

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOBY_G.EXE
Filesize
202KB

MD5
ef2247cc05cb1645911c9e00686c45c0

SHA1
fd34d3cdd355d7022ed381db0d77da67f972bbef

SHA256
52deef2b5d455aa8001e7bc91fd8ff54024e2a707cbed1944507af2fe5dd4a86

SHA512
8a39908ab5c650acdc4e40062e18673c773bea2a3ce18e2b95821e4c7034187fc5ac72c659683f4048eb0a947f1190de950a213980f899947a0deadb3c3fb595

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOBY_G.EXE
Filesize
202KB

MD5
ef2247cc05cb1645911c9e00686c45c0

SHA1
fd34d3cdd355d7022ed381db0d77da67f972bbef

SHA256
52deef2b5d455aa8001e7bc91fd8ff54024e2a707cbed1944507af2fe5dd4a86

SHA512
8a39908ab5c650acdc4e40062e18673c773bea2a3ce18e2b95821e4c7034187fc5ac72c659683f4048eb0a947f1190de950a213980f899947a0deadb3c3fb595

Download Submit
C:\Users\Admin\AppData\Local\Temp\TOBY_G.EXE
Filesize
202KB

MD5
ef2247cc05cb1645911c9e00686c45c0

SHA1
fd34d3cdd355d7022ed381db0d77da67f972bbef

SHA256
52deef2b5d455aa8001e7bc91fd8ff54024e2a707cbed1944507af2fe5dd4a86

SHA512
8a39908ab5c650acdc4e40062e18673c773bea2a3ce18e2b95821e4c7034187fc5ac72c659683f4048eb0a947f1190de950a213980f899947a0deadb3c3fb595

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
Filesize
2.1MB

MD5
07a1e5acc43fe7ba03ef6b50d01e5c59

SHA1
787b7e16dbf1ff2bcb1681114b5ac0049c5ce6a0

SHA256
a79bdc9c32cccce861afa48e8d14c1f982f7add58e75f3ad28c7ef6ef05e9b23

SHA512
87ad49a4e01264185fc3317c40813e10702d21d80025b011ff845d893cdb4530c971ee3ce0a01522cd88e00ff88e28ba7251d3eaa8ac37794291a3fbb4674640

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
Filesize
2.1MB

MD5
07a1e5acc43fe7ba03ef6b50d01e5c59

SHA1
787b7e16dbf1ff2bcb1681114b5ac0049c5ce6a0

SHA256
a79bdc9c32cccce861afa48e8d14c1f982f7add58e75f3ad28c7ef6ef05e9b23

SHA512
87ad49a4e01264185fc3317c40813e10702d21d80025b011ff845d893cdb4530c971ee3ce0a01522cd88e00ff88e28ba7251d3eaa8ac37794291a3fbb4674640

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
Filesize
2.1MB

MD5
07a1e5acc43fe7ba03ef6b50d01e5c59

SHA1
787b7e16dbf1ff2bcb1681114b5ac0049c5ce6a0

SHA256
a79bdc9c32cccce861afa48e8d14c1f982f7add58e75f3ad28c7ef6ef05e9b23

SHA512
87ad49a4e01264185fc3317c40813e10702d21d80025b011ff845d893cdb4530c971ee3ce0a01522cd88e00ff88e28ba7251d3eaa8ac37794291a3fbb4674640

Download Submit
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs
Filesize
1024B

MD5
a05951d8828004220b3a37cc8205c6a8

SHA1
e6e915715d6a479a98b0cce4de4697f584bb9eac

SHA256
07c678e10f73cce72742a62effebb56c58993b2276a95850b139743804f7fb87

SHA512
0a5d46ae16a67b5322bf65e3ab861864a164783e6f9eb04603d8a5846e2462cab7190e1f6d9b95fc403f6288b05485e04805d02f03910dd15d0c081f1dd8e7c7

Download Submit
memory/1172-171-0x0000000071DB0000-0x0000000072558000-memory.dmp

Filesize
7.7MB

Download
memory/1172-167-0x00000000725C0000-0x00000000730C0000-memory.dmp

Filesize
11.0MB

Download
memory/1172-165-0x0000000073160000-0x0000000073711000-memory.dmp

Filesize
5.7MB

Download
memory/1172-155-0x0000000000000000-mapping.dmp

Download
memory/1988-136-0x0000000077580000-0x0000000077723000-memory.dmp

Filesize
1.6MB

Download
memory/1988-143-0x0000000077580000-0x0000000077723000-memory.dmp

Filesize
1.6MB

Download
memory/1988-130-0x0000000000000000-mapping.dmp

Download
memory/1988-135-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/2848-163-0x0000000000000000-mapping.dmp

Download
memory/2848-173-0x0000000071DB0000-0x0000000072558000-memory.dmp

Filesize
7.7MB

Download
memory/2848-172-0x0000000073160000-0x0000000073711000-memory.dmp

Filesize
5.7MB

Download
memory/2848-170-0x00000000725C0000-0x00000000730C0000-memory.dmp

Filesize
11.0MB

Download
memory/3168-147-0x0000000077580000-0x0000000077723000-memory.dmp

Filesize
1.6MB

Download
memory/3168-138-0x0000000000000000-mapping.dmp

Download
memory/3280-174-0x0000000071DB0000-0x0000000072558000-memory.dmp

Filesize
7.7MB

Download
memory/3280-161-0x0000000073160000-0x0000000073711000-memory.dmp

Filesize
5.7MB

Download
memory/3280-152-0x0000000000000000-mapping.dmp

Download
memory/3280-166-0x00000000725C0000-0x00000000730C0000-memory.dmp

Filesize
11.0MB

Download
memory/3832-169-0x00000000725C0000-0x00000000730C0000-memory.dmp

Filesize
11.0MB

Download
memory/3832-168-0x0000000073160000-0x0000000073711000-memory.dmp

Filesize
5.7MB

Download
memory/3832-160-0x0000000000000000-mapping.dmp

Download
memory/3832-175-0x0000000071DB0000-0x0000000072558000-memory.dmp

Filesize
7.7MB

Download
memory/3848-150-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/3848-145-0x0000000000000000-mapping.dmp

Download
memory/3848-159-0x0000000000400000-0x0000000000624000-memory.dmp

Filesize
2.1MB

Download
memory/3848-158-0x0000000077580000-0x0000000077723000-memory.dmp

Filesize
1.6MB

Download
memory/3900-137-0x0000000000000000-mapping.dmp

Download