agenttesla | 2b462a8fa08088d8a738b3e9fdad71b1655c44e5497c1cb212e514f536a780ab

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-04-2023 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blueberry_obfuscator-VM.exe
Size

5.3MB
MD5

bfe2c9a81002c0b3f51e80d28166f11c
SHA1

49800d024d3773c4050f3ca5ac7bb79a2322334c
SHA256

2b462a8fa08088d8a738b3e9fdad71b1655c44e5497c1cb212e514f536a780ab
SHA512

3148ffbe478ac1294e61bb62688b8c938e4658df97abb1ce1271db50541b76e87d0f542e6660123db3520730de99914bd6ba44093e637e43a1436dbb06cc9db0
SSDEEP

98304:28zYBgkTRCyjAM0bRKLIYh74b6iGeUwjDRQOOAxY4Yj89PXAAZbJPnyl258RjPsL:28zYBgkTRCyjAM0bRKLIYh74b6iGeUwd

Score

10^/10

agenttesla elysiumstealer keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer

ElysiumStealer Support DLL 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000013a47-57.dat	elysiumstealer_dll
behavioral1/memory/1524-59-0x0000000004560000-0x00000000045A0000-memory.dmp	elysiumstealer_dll

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/1524-60-0x00000000064C0000-0x00000000066D6000-memory.dmp	family_agenttesla

Loads dropped DLL 1 IoCs

pid	Process
1524	blueberry_obfuscator-VM.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
728	1524	WerFault.exe	26

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	blueberry_obfuscator-VM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	blueberry_obfuscator-VM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	blueberry_obfuscator-VM.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1524	blueberry_obfuscator-VM.exe
1524	blueberry_obfuscator-VM.exe
1524	blueberry_obfuscator-VM.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	blueberry_obfuscator-VM.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 728	1524	blueberry_obfuscator-VM.exe	27
PID 1524 wrote to memory of 728	1524	blueberry_obfuscator-VM.exe	27
PID 1524 wrote to memory of 728	1524	blueberry_obfuscator-VM.exe	27
PID 1524 wrote to memory of 728	1524	blueberry_obfuscator-VM.exe	27

C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe
"C:\Users\Admin\AppData\Local\Temp\blueberry_obfuscator-VM.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1496
  2⤵
  - Program crash
  PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\0x7RT.dll

Filesize
40KB

MD5
94173de2e35aa8d621fc1c4f54b2a082

SHA1
fbb2266ee47f88462560f0370edb329554cd5869

SHA256
7e2c70b7732fb1a9a61d7ce3d7290bc7b31ea28cbfb1dbc79d377835615b941f

SHA512
cadbf4db0417283a02febbabd337bf17b254a6eb6e771f8a553a140dd2b04efd0672b1f3175c044a3edd0a911ce59d6695f765555262560925f3159bb8f3b798

Download Submit
memory/1524-54-0x00000000000F0000-0x0000000000642000-memory.dmp

Filesize
5.3MB

Download
memory/1524-55-0x00000000023D0000-0x00000000023E4000-memory.dmp

Filesize
80KB

Download
memory/1524-59-0x0000000004560000-0x00000000045A0000-memory.dmp

Filesize
256KB

Download
memory/1524-60-0x00000000064C0000-0x00000000066D6000-memory.dmp

Filesize
2.1MB

Download
memory/1524-61-0x00000000066E0000-0x000000000682E000-memory.dmp

Filesize
1.3MB

Download
memory/1524-62-0x0000000005710000-0x0000000005724000-memory.dmp

Filesize
80KB

Download
memory/1524-63-0x0000000004560000-0x00000000045A0000-memory.dmp

Filesize
256KB

Download