agenttesla | c74ec108cb5e8f59d4565503756078f8652b8b99f43fc00bc412082ae2d63d57

Analysis

max time kernel
152s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 20:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6.exe
Size

1.2MB
MD5

d881b25107c15e6a403533b2fded497f
SHA1

157a39b6cc0bf291ae562de3375ef1b6ecfde68f
SHA256

0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6
SHA512

85acea38a31c7f7afd44ae410f1b5192ca4b2fb82242bdf83019e415d8ee51f8609ecf386689c62646eb853fb5827edb48d37607a1ed679970b0b826ea975b52
SSDEEP

24576:gAOcZXQOsoYKjqsM3RwfksQU8OIgibj5HHeg/cbGOSMIKB4p:+boisM3afkXU8H335HdYGOSMji

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.botswlogistics.com
Port:
587
Username:
[email protected]
Password:
*(QSTCj8

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 5 IoCs

resource	yara_rule
behavioral1/memory/1776-68-0x0000000000290000-0x00000000007B8000-memory.dmp	family_agenttesla
behavioral1/memory/1776-69-0x00000000002C6C3E-mapping.dmp	family_agenttesla
behavioral1/memory/1776-71-0x0000000000290000-0x00000000007B8000-memory.dmp	family_agenttesla
behavioral1/memory/1776-73-0x0000000000290000-0x00000000007B8000-memory.dmp	family_agenttesla
behavioral1/memory/1776-74-0x0000000000290000-0x00000000002CC000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

pid	Process
1784	njigc.exe

Loads dropped DLL 1 IoCs

pid	Process
1772	WScript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1784 set thread context of 1776	1784	njigc.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1776	RegSvcs.exe
1776	RegSvcs.exe
1776	RegSvcs.exe
1776	RegSvcs.exe
1784	njigc.exe
1776	RegSvcs.exe
1776	RegSvcs.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe
1784	njigc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	RegSvcs.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1772	1608	0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6.exe	26
PID 1608 wrote to memory of 1772	1608	0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6.exe	26
PID 1608 wrote to memory of 1772	1608	0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6.exe	26
PID 1608 wrote to memory of 1772	1608	0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6.exe	26
PID 1772 wrote to memory of 1784	1772	WScript.exe	27
PID 1772 wrote to memory of 1784	1772	WScript.exe	27
PID 1772 wrote to memory of 1784	1772	WScript.exe	27
PID 1772 wrote to memory of 1784	1772	WScript.exe	27
PID 1784 wrote to memory of 1776	1784	njigc.exe	28
PID 1784 wrote to memory of 1776	1784	njigc.exe	28
PID 1784 wrote to memory of 1776	1784	njigc.exe	28
PID 1784 wrote to memory of 1776	1784	njigc.exe	28
PID 1784 wrote to memory of 1776	1784	njigc.exe	28
PID 1784 wrote to memory of 1776	1784	njigc.exe	28
PID 1784 wrote to memory of 1776	1784	njigc.exe	28
PID 1784 wrote to memory of 1776	1784	njigc.exe	28
PID 1784 wrote to memory of 1776	1784	njigc.exe	28

C:\Users\Admin\AppData\Local\Temp\0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6.exe
"C:\Users\Admin\AppData\Local\Temp\0c38b5488a2c72a89b8bbcf9114d94578acb14b442ffa2d5715e5da9ba2a4be6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\2_104\hpapueldew.vbe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Local\Temp\2_104\njigc.exe
    "C:\Users\Admin\AppData\Local\Temp\2_104\njigc.exe" xbtxpjedx.hge
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2_104\mvuqxhc.dll

Filesize
44KB

MD5
5bb250e151a8589b702d59fed6fdaf49

SHA1
c6fac75ea5d6d7725597a7bf2d55df2680d6d5f5

SHA256
88d090ea7d1dd87ba8c32823876ddc3b6ae74f7912f9d80c2bd91d8f1de6b9ba

SHA512
ee373f6d2cc5f036f959ab991c86cc71bc09d2cce55ebd7304f36eaec2dbb20b094e2e973e0dc53d8082f817a637c7b61e747464e50c39f2238f1324d79a094f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_104\njigc.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_104\njigc.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_104\wkhvl.kvs

Filesize
427KB

MD5
d7b793210c2098d4e048827d93ffa8b0

SHA1
c923737e47f8da7ea07983b57e0ec662d8d41077

SHA256
e02b8cdcee852708b599beb104a614bfc1fdde8b0cbd56f341eaa39581d0894d

SHA512
496b48a830fbb91ad5e16c0f874d735c34101bb454de57d195fefdbd9c1af95d76f8b1e484de61685fe5139d548b16aa266c77ff241ccd88645752403edb4871

Download Submit
C:\Users\Admin\AppData\Local\Temp\2_104\xbtxpjedx.hge

Filesize
123.1MB

MD5
6d3df00dec8784e5848456265e466c7d

SHA1
b8d1fbca69bb9263d59df0a3e1f12670eca02a9a

SHA256
134902e76ffe1449f3c2685a7e7555cbd979ce9ba5ae3ad325e20346bd281e4f

SHA512
dd92c6183087b5a48b0c8f43c58c103ef0ffaa7e5c26ba43669511f453ab7e116b8ae103697f3e5a69c451ae84b1db5dbcad36549b342acffdcd616e18a7b07c

Download Submit
C:\Users\Admin\AppData\Local\temp\2_104\hpapueldew.vbe

Filesize
27KB

MD5
6cc09a933bcd5a29f8b6719cba0b8562

SHA1
186397296b52b1619355a9a3f460608ea6997ddb

SHA256
be70a38416d5260b985cccaefa6ebacf2256935ba237e71042cf3189ce007688

SHA512
64f73abec99fafdd154179ac0d8e07b01fd57a8934c36391ae85ef1abb216e76d8f5e11cd73121ffcab33dd0e1043559c3dd128927117b01093e969e9b3b4b5f

Download Submit
\Users\Admin\AppData\Local\Temp\2_104\njigc.exe

Filesize
1.1MB

MD5
b5b4f7b97106aff4bd860cff0e13dcdc

SHA1
42ca977e0d14bde5d5831b7fe10f516186df3fc5

SHA256
1dbad30b09c655ff987f25c312f56e9695d60105c240686d05d33941c854fa73

SHA512
3e6742aea38c0cbfee8e5cb8f11d328c947c7e4fcca4604b498a7e254aacfe53cc8fc6171d5ed2db7755abb510c09036bfbb1e5a9d9b7b47a587b43c828e3185

Download Submit
memory/1608-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1776-66-0x0000000000290000-0x00000000007B8000-memory.dmp

Filesize
5.2MB

Download
memory/1776-68-0x0000000000290000-0x00000000007B8000-memory.dmp

Filesize
5.2MB

Download
memory/1776-71-0x0000000000290000-0x00000000007B8000-memory.dmp

Filesize
5.2MB

Download
memory/1776-73-0x0000000000290000-0x00000000007B8000-memory.dmp

Filesize
5.2MB

Download
memory/1776-74-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download