agenttesla | 8e286696a68fbea67a45b8b49daf8d6b486340d6515a19255f57b42b9a3c053d

Analysis

max time kernel
96s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1992-72-0x0000000000400000-0x000000000043D000-memory.exe
Size

244KB
MD5

eafd1bff062f8edb0ed644c3a6bd5d65
SHA1

cdc15a5eedf87e2c6ec547f24e833b8ccf1b0cc1
SHA256

8e286696a68fbea67a45b8b49daf8d6b486340d6515a19255f57b42b9a3c053d
SHA512

552f7ac2d6c8c037fcbc81d968e6e41517eb95e0bdc35d7b4c2525279e17d31cd62d02e675d1406b345b90809d9837a68de05103ace766d266c52cb9e3fc4ed5
SSDEEP

3072:AHWG7oJ4jT1Yto2mAFPlfT0bxzbUKOfeNUY2jzkRhXJwXJ0yeGrptQY3FXJzNvG5:A2GPTC59E1Uffe+Y2chX2XciJVXFNvI

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

http://107.189.4.253/zipone/inc/10c5bcaaef047d.php

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 3 IoCs

Processes:

FB_CED.tmp.exeFB_1067.tmp.exesvcupdater.exe

pid process

1788 FB_CED.tmp.exe
1340 FB_1067.tmp.exe
1984 svcupdater.exe

pid	process
1788	FB_CED.tmp.exe
1340	FB_1067.tmp.exe
1984	svcupdater.exe

Loads dropped DLL 5 IoCs

Processes:

1992-72-0x0000000000400000-0x000000000043D000-memory.exedw20.exe

pid	process
1412	1992-72-0x0000000000400000-0x000000000043D000-memory.exe
1412	1992-72-0x0000000000400000-0x000000000043D000-memory.exe
1412	1992-72-0x0000000000400000-0x000000000043D000-memory.exe
1412	1992-72-0x0000000000400000-0x000000000043D000-memory.exe
840	dw20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

516 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svcupdater.exe

description pid process

Token: SeDebugPrivilege 1984 svcupdater.exe

pid	process
516	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1984	svcupdater.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

1992-72-0x0000000000400000-0x000000000043D000-memory.exeFB_CED.tmp.exeFB_1067.tmp.execmd.exetaskeng.exe

description	pid	process	target process
PID 1412 wrote to memory of 1788	1412	1992-72-0x0000000000400000-0x000000000043D000-memory.exe	FB_CED.tmp.exe
PID 1412 wrote to memory of 1788	1412	1992-72-0x0000000000400000-0x000000000043D000-memory.exe	FB_CED.tmp.exe
PID 1412 wrote to memory of 1788	1412	1992-72-0x0000000000400000-0x000000000043D000-memory.exe	FB_CED.tmp.exe
PID 1412 wrote to memory of 1788	1412	1992-72-0x0000000000400000-0x000000000043D000-memory.exe	FB_CED.tmp.exe
PID 1412 wrote to memory of 1340	1412	1992-72-0x0000000000400000-0x000000000043D000-memory.exe	FB_1067.tmp.exe
PID 1412 wrote to memory of 1340	1412	1992-72-0x0000000000400000-0x000000000043D000-memory.exe	FB_1067.tmp.exe
PID 1412 wrote to memory of 1340	1412	1992-72-0x0000000000400000-0x000000000043D000-memory.exe	FB_1067.tmp.exe
PID 1412 wrote to memory of 1340	1412	1992-72-0x0000000000400000-0x000000000043D000-memory.exe	FB_1067.tmp.exe
PID 1788 wrote to memory of 840	1788	FB_CED.tmp.exe	dw20.exe
PID 1788 wrote to memory of 840	1788	FB_CED.tmp.exe	dw20.exe
PID 1788 wrote to memory of 840	1788	FB_CED.tmp.exe	dw20.exe
PID 1788 wrote to memory of 840	1788	FB_CED.tmp.exe	dw20.exe
PID 1340 wrote to memory of 1372	1340	FB_1067.tmp.exe	cmd.exe
PID 1340 wrote to memory of 1372	1340	FB_1067.tmp.exe	cmd.exe
PID 1340 wrote to memory of 1372	1340	FB_1067.tmp.exe	cmd.exe
PID 1372 wrote to memory of 516	1372	cmd.exe	schtasks.exe
PID 1372 wrote to memory of 516	1372	cmd.exe	schtasks.exe
PID 1372 wrote to memory of 516	1372	cmd.exe	schtasks.exe
PID 688 wrote to memory of 1984	688	taskeng.exe	svcupdater.exe
PID 688 wrote to memory of 1984	688	taskeng.exe	svcupdater.exe
PID 688 wrote to memory of 1984	688	taskeng.exe	svcupdater.exe

C:\Users\Admin\AppData\Local\Temp\1992-72-0x0000000000400000-0x000000000043D000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\1992-72-0x0000000000400000-0x000000000043D000-memory.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\FB_CED.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_CED.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 424
3⤵
- Loads dropped DLL
PID:840

C:\Users\Admin\AppData\Local\Temp\FB_1067.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\FB_1067.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\cmd.exe
"cmd.exe" /C schtasks /create /tn \oflgwXquKB /tr "C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\system32\schtasks.exe
schtasks /create /tn \oflgwXquKB /tr "C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
4⤵
- Creates scheduled task(s)
PID:516

C:\Windows\system32\taskeng.exe
taskeng.exe {641DB269-0BA9-4740-A79B-4DDF0B4220C1} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe
C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FB_1067.tmp.exe

Filesize
8KB

MD5
fa22ef17a3b0bdb50020d4f27ad2feec

SHA1
634ecd4159890f24dce98a71b39a86ffdfd207bd

SHA256
81aa7692e1e20c72d05efa7fcde837f4306a6c95798d49acf734fff49015fc1c

SHA512
fc5e6d9e61df6d5c54a73e44e9a8f82a0df6006d7ab60b1a1199928df6eaf46610d4db53ce18fba84de4b93b29ff23fd17fe4d3d3b9d3afbf44ba65478c89408

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_1067.tmp.exe

Filesize
8KB

MD5
fa22ef17a3b0bdb50020d4f27ad2feec

SHA1
634ecd4159890f24dce98a71b39a86ffdfd207bd

SHA256
81aa7692e1e20c72d05efa7fcde837f4306a6c95798d49acf734fff49015fc1c

SHA512
fc5e6d9e61df6d5c54a73e44e9a8f82a0df6006d7ab60b1a1199928df6eaf46610d4db53ce18fba84de4b93b29ff23fd17fe4d3d3b9d3afbf44ba65478c89408

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_CED.tmp.exe

Filesize
217KB

MD5
9b806fd0bd716d762711c47fdc887783

SHA1
2881e1da525b16b7c5b8178d7c6c12613983dbda

SHA256
475caa3046685bdfb65538f4a4467b6ce115936736ffce85307da0fcaa55cec7

SHA512
4d898500cd2205fc7701556e22f284b2d47a482c152625123136881471962a0e646172a0364d55d74902f09dbcaf4699a901a7c81ccdd3e419796dab088e6f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_CED.tmp.exe

Filesize
217KB

MD5
9b806fd0bd716d762711c47fdc887783

SHA1
2881e1da525b16b7c5b8178d7c6c12613983dbda

SHA256
475caa3046685bdfb65538f4a4467b6ce115936736ffce85307da0fcaa55cec7

SHA512
4d898500cd2205fc7701556e22f284b2d47a482c152625123136881471962a0e646172a0364d55d74902f09dbcaf4699a901a7c81ccdd3e419796dab088e6f4c

Download Submit
C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe

Filesize
444.2MB

MD5
f91f1575c5d66a9768121e40922c5349

SHA1
e805145c280875104c6d9643e073237924154b71

SHA256
e4e2086ec6309805b724896149d8601bd9fe067d25d523ab5b8c8e75c3f40756

SHA512
e8bbb93f626753b8c486a70cd1245615e888d45985791c3f60a2645f3aa2a3cf0093e54474699377f89b510baa89878c88aaa363d815d5b2e418010703ca0d97

Download Submit
C:\Users\Admin\AppData\Roaming\oflgwXquKB\svcupdater.exe

Filesize
444.1MB

MD5
1051a12f9991c0af342163d0239ee099

SHA1
8058e8122dc6a2e13453c53e5ea7e75e66f08988

SHA256
fb09f007087f019b149df79f31295a9a3089a760f867808baeba74f42811a1fd

SHA512
60342e6e4d372e563d6e33eb5cc088793f7f1e870750222531713a116566ccba2909b332866929bafdeccb77b48c58b31de7698c10bda4e4d1d34030dbea82bc

Download Submit
\Users\Admin\AppData\Local\Temp\FB_1067.tmp.exe

Filesize
8KB

MD5
fa22ef17a3b0bdb50020d4f27ad2feec

SHA1
634ecd4159890f24dce98a71b39a86ffdfd207bd

SHA256
81aa7692e1e20c72d05efa7fcde837f4306a6c95798d49acf734fff49015fc1c

SHA512
fc5e6d9e61df6d5c54a73e44e9a8f82a0df6006d7ab60b1a1199928df6eaf46610d4db53ce18fba84de4b93b29ff23fd17fe4d3d3b9d3afbf44ba65478c89408

Download Submit
\Users\Admin\AppData\Local\Temp\FB_1067.tmp.exe

Filesize
8KB

MD5
fa22ef17a3b0bdb50020d4f27ad2feec

SHA1
634ecd4159890f24dce98a71b39a86ffdfd207bd

SHA256
81aa7692e1e20c72d05efa7fcde837f4306a6c95798d49acf734fff49015fc1c

SHA512
fc5e6d9e61df6d5c54a73e44e9a8f82a0df6006d7ab60b1a1199928df6eaf46610d4db53ce18fba84de4b93b29ff23fd17fe4d3d3b9d3afbf44ba65478c89408

Download Submit
\Users\Admin\AppData\Local\Temp\FB_CED.tmp.exe

Filesize
217KB

MD5
9b806fd0bd716d762711c47fdc887783

SHA1
2881e1da525b16b7c5b8178d7c6c12613983dbda

SHA256
475caa3046685bdfb65538f4a4467b6ce115936736ffce85307da0fcaa55cec7

SHA512
4d898500cd2205fc7701556e22f284b2d47a482c152625123136881471962a0e646172a0364d55d74902f09dbcaf4699a901a7c81ccdd3e419796dab088e6f4c

Download Submit
\Users\Admin\AppData\Local\Temp\FB_CED.tmp.exe

Filesize
217KB

MD5
9b806fd0bd716d762711c47fdc887783

SHA1
2881e1da525b16b7c5b8178d7c6c12613983dbda

SHA256
475caa3046685bdfb65538f4a4467b6ce115936736ffce85307da0fcaa55cec7

SHA512
4d898500cd2205fc7701556e22f284b2d47a482c152625123136881471962a0e646172a0364d55d74902f09dbcaf4699a901a7c81ccdd3e419796dab088e6f4c

Download Submit
\Users\Admin\AppData\Local\Temp\FB_CED.tmp.exe

Filesize
217KB

MD5
9b806fd0bd716d762711c47fdc887783

SHA1
2881e1da525b16b7c5b8178d7c6c12613983dbda

SHA256
475caa3046685bdfb65538f4a4467b6ce115936736ffce85307da0fcaa55cec7

SHA512
4d898500cd2205fc7701556e22f284b2d47a482c152625123136881471962a0e646172a0364d55d74902f09dbcaf4699a901a7c81ccdd3e419796dab088e6f4c

Download Submit
memory/516-72-0x0000000000000000-mapping.dmp

Download
memory/840-68-0x0000000000000000-mapping.dmp

Download
memory/1340-62-0x0000000000000000-mapping.dmp

Download
memory/1340-66-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/1372-71-0x0000000000000000-mapping.dmp

Download
memory/1412-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1788-67-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-73-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-57-0x0000000000000000-mapping.dmp

Download
memory/1984-75-0x0000000000000000-mapping.dmp

Download
memory/1984-77-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download