agenttesla | 09c86fc57dce8aceee45fa3727c4e3ab8fa7bb13885e6db59dc72d719f1829ca

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
24/09/2023, 01:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20cdad829e87d6b52b80273488bf103d.exe
Size

4.5MB
MD5

20cdad829e87d6b52b80273488bf103d
SHA1

6f06b587fa7f6eeb7b15a53bde9f0ece2f55ac67
SHA256

09c86fc57dce8aceee45fa3727c4e3ab8fa7bb13885e6db59dc72d719f1829ca
SHA512

d1887c0e4e9b7634234dd8d8ec797bebfe9021e30cdb299b1fed569011ad1a221aa9afea1b8979e5cccc51d97a539cba8908fa0fe410c429c35d2fc56889c910
SSDEEP

98304:2QtPknqjQMPknqoQkQaVIIOzRQEjhuStSEb6kqXf0FIblY1:2cMIVMvNvVVqlhuvBkSIIblY1

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/3760-6-0x000001F51A470000-0x000001F51A666000-memory.dmp	family_agenttesla

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	20cdad829e87d6b52b80273488bf103d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	20cdad829e87d6b52b80273488bf103d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	20cdad829e87d6b52b80273488bf103d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	384	svchost.exe

C:\Users\Admin\AppData\Local\Temp\20cdad829e87d6b52b80273488bf103d.exe
"C:\Users\Admin\AppData\Local\Temp\20cdad829e87d6b52b80273488bf103d.exe"
1⤵
- Enumerates system info in registry
PID:3760

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
a03ea46699d67262817ecfd9b793f366

SHA1
ccc1a590d7991f0e000f3463fd9c1e8f14ec798d

SHA256
8cfd8de3c5b65ba153cc513570ce3cff46ed159c1f6358d74e307c311a1c839b

SHA512
d5d44bbfcb05050d1ad3ec9c52646399f9057a9d2ac0e9ceb3e7424db61357200e6909c651f0c3597c71b8b6bd90f944fbc459009487766bc3e82b0016250b6b

Download Submit
memory/384-54-0x00000155DB170000-0x00000155DB171000-memory.dmp

Filesize
4KB

Download
memory/384-57-0x00000155DB170000-0x00000155DB171000-memory.dmp

Filesize
4KB

Download
memory/384-79-0x00000155DB3C0000-0x00000155DB3C1000-memory.dmp

Filesize
4KB

Download
memory/384-78-0x00000155DB2B0000-0x00000155DB2B1000-memory.dmp

Filesize
4KB

Download
memory/384-77-0x00000155DB2B0000-0x00000155DB2B1000-memory.dmp

Filesize
4KB

Download
memory/384-75-0x00000155DB2A0000-0x00000155DB2A1000-memory.dmp

Filesize
4KB

Download
memory/384-63-0x00000155DB0A0000-0x00000155DB0A1000-memory.dmp

Filesize
4KB

Download
memory/384-60-0x00000155DB160000-0x00000155DB161000-memory.dmp

Filesize
4KB

Download
memory/384-49-0x00000155DB550000-0x00000155DB551000-memory.dmp

Filesize
4KB

Download
memory/384-55-0x00000155DB160000-0x00000155DB161000-memory.dmp

Filesize
4KB

Download
memory/384-11-0x00000155D2E40000-0x00000155D2E50000-memory.dmp

Filesize
64KB

Download
memory/384-27-0x00000155D2F40000-0x00000155D2F50000-memory.dmp

Filesize
64KB

Download
memory/384-43-0x00000155DB520000-0x00000155DB521000-memory.dmp

Filesize
4KB

Download
memory/384-44-0x00000155DB550000-0x00000155DB551000-memory.dmp

Filesize
4KB

Download
memory/384-45-0x00000155DB550000-0x00000155DB551000-memory.dmp

Filesize
4KB

Download
memory/384-46-0x00000155DB550000-0x00000155DB551000-memory.dmp

Filesize
4KB

Download
memory/384-53-0x00000155DB550000-0x00000155DB551000-memory.dmp

Filesize
4KB

Download
memory/384-48-0x00000155DB550000-0x00000155DB551000-memory.dmp

Filesize
4KB

Download
memory/384-47-0x00000155DB550000-0x00000155DB551000-memory.dmp

Filesize
4KB

Download
memory/384-50-0x00000155DB550000-0x00000155DB551000-memory.dmp

Filesize
4KB

Download
memory/384-51-0x00000155DB550000-0x00000155DB551000-memory.dmp

Filesize
4KB

Download
memory/384-52-0x00000155DB550000-0x00000155DB551000-memory.dmp

Filesize
4KB

Download
memory/3760-2-0x000001F51A1C0000-0x000001F51A1D0000-memory.dmp

Filesize
64KB

Download
memory/3760-0-0x000001F57EF50000-0x000001F57F3CA000-memory.dmp

Filesize
4.5MB

Download
memory/3760-10-0x000001F51A1C0000-0x000001F51A1D0000-memory.dmp

Filesize
64KB

Download
memory/3760-9-0x000001F51A1C0000-0x000001F51A1D0000-memory.dmp

Filesize
64KB

Download
memory/3760-8-0x00007FFE92730000-0x00007FFE931F1000-memory.dmp

Filesize
10.8MB

Download
memory/3760-7-0x000001F51A1C0000-0x000001F51A1D0000-memory.dmp

Filesize
64KB

Download
memory/3760-1-0x00007FFE92730000-0x00007FFE931F1000-memory.dmp

Filesize
10.8MB

Download
memory/3760-6-0x000001F51A470000-0x000001F51A666000-memory.dmp

Filesize
2.0MB

Download
memory/3760-5-0x000001F51A110000-0x000001F51A1C2000-memory.dmp

Filesize
712KB

Download
memory/3760-4-0x000001F501970000-0x000001F50198A000-memory.dmp

Filesize
104KB

Download
memory/3760-3-0x000001F501810000-0x000001F501844000-memory.dmp

Filesize
208KB

Download