agenttesla | 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3

Analysis

max time kernel
34s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2023 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
Size

1.3MB
MD5

5d86018377d9cf83e6e2c08fd9fd60d3
SHA1

3ae1897f221aa5893f8aff0bfd79666f8ba2236f
SHA256

1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3
SHA512

d2ea45f5f6aa1561468ff5657d6b9cfc1fe3168621dde2706423cf26c12a8c5a0fa920275bc2a7294d341e39da71493975b0c4632701d4629966b1a058b52fb7
SSDEEP

24576:YkzJBUqX3qbkN6s2P2VElQJyNmXy76p7ZUgSb2H8KZ/L2zZnJf+MCFL3:YkNBH16sVOy0NmXIgSudT2teL

Score

10^/10

agenttesla snakekeylogger keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5008-7-0x0000000000400000-0x0000000000466000-memory.dmp	family_snakekeylogger

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe

Executes dropped EXE 2 IoCs

Processes:

frankdan.exesvchost.exe

pid process

3052 frankdan.exe
2124 svchost.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

104 api.ipify.org
105 api.ipify.org

pid	process
3052	frankdan.exe
2124	svchost.exe

flow	ioc
104	api.ipify.org
105	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe

description	pid	process	target process
PID 4344 set thread context of 5008	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4056 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

frankdan.exe

pid process

3052 frankdan.exe
3052 frankdan.exe
3052 frankdan.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

frankdan.exe

description pid process

Token: SeDebugPrivilege 3052 frankdan.exe

pid	process
4056	schtasks.exe

pid	process
3052	frankdan.exe
3052	frankdan.exe
3052	frankdan.exe

description	pid	process
Token: SeDebugPrivilege	3052	frankdan.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe

description	pid	process	target process
PID 4344 wrote to memory of 5008	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
PID 4344 wrote to memory of 5008	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
PID 4344 wrote to memory of 5008	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
PID 4344 wrote to memory of 5008	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
PID 4344 wrote to memory of 5008	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
PID 4344 wrote to memory of 5008	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
PID 4344 wrote to memory of 5008	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
PID 4344 wrote to memory of 5008	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
PID 5008 wrote to memory of 3052	5008	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	frankdan.exe
PID 5008 wrote to memory of 3052	5008	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	frankdan.exe
PID 5008 wrote to memory of 3052	5008	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	frankdan.exe
PID 4344 wrote to memory of 2124	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	svchost.exe
PID 4344 wrote to memory of 2124	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	svchost.exe
PID 4344 wrote to memory of 2124	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	svchost.exe
PID 4344 wrote to memory of 3352	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	cmd.exe
PID 4344 wrote to memory of 3352	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	cmd.exe
PID 4344 wrote to memory of 3352	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	cmd.exe
PID 4344 wrote to memory of 4552	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	cmd.exe
PID 4344 wrote to memory of 4552	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	cmd.exe
PID 4344 wrote to memory of 4552	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	cmd.exe
PID 4344 wrote to memory of 4548	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	cmd.exe
PID 4344 wrote to memory of 4548	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	cmd.exe
PID 4344 wrote to memory of 4548	4344	1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
"C:\Users\Admin\AppData\Local\Temp\1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
"C:\Users\Admin\AppData\Local\Temp\1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Roaming\frankdan.exe
"C:\Users\Admin\AppData\Roaming\frankdan.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:2124

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:3352

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
PID:4552

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4056

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
621KB

MD5
ed9d91fe584d5109d4067734ac452753

SHA1
c277e57866833509d94787fc6f4d634a2714825d

SHA256
3629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030

SHA512
a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
621KB

MD5
ed9d91fe584d5109d4067734ac452753

SHA1
c277e57866833509d94787fc6f4d634a2714825d

SHA256
3629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030

SHA512
a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
621KB

MD5
ed9d91fe584d5109d4067734ac452753

SHA1
c277e57866833509d94787fc6f4d634a2714825d

SHA256
3629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030

SHA512
a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a

Download Submit
C:\Users\Admin\AppData\Roaming\frankdan.exe

Filesize
247KB

MD5
e254aed552568e13df13e204adcb8011

SHA1
18deaf67ac2a3ae2be3d3e620f650cb6edcba92a

SHA256
23b22ca7ca4272afba9114cc3da4316c38c2407574cb1649aa549c9a7e792ae5

SHA512
f89aa1487f6c1c2e9a3b76de8137b56da65c1d2df6f40439c0da4726478a11fbea83f7c3ad0530e12a1fb0cd808062d8f2a915879c0d5e210f3340138ace8c3f

Download Submit
C:\Users\Admin\AppData\Roaming\frankdan.exe

Filesize
247KB

MD5
e254aed552568e13df13e204adcb8011

SHA1
18deaf67ac2a3ae2be3d3e620f650cb6edcba92a

SHA256
23b22ca7ca4272afba9114cc3da4316c38c2407574cb1649aa549c9a7e792ae5

SHA512
f89aa1487f6c1c2e9a3b76de8137b56da65c1d2df6f40439c0da4726478a11fbea83f7c3ad0530e12a1fb0cd808062d8f2a915879c0d5e210f3340138ace8c3f

Download Submit
C:\Users\Admin\AppData\Roaming\frankdan.exe

Filesize
247KB

MD5
e254aed552568e13df13e204adcb8011

SHA1
18deaf67ac2a3ae2be3d3e620f650cb6edcba92a

SHA256
23b22ca7ca4272afba9114cc3da4316c38c2407574cb1649aa549c9a7e792ae5

SHA512
f89aa1487f6c1c2e9a3b76de8137b56da65c1d2df6f40439c0da4726478a11fbea83f7c3ad0530e12a1fb0cd808062d8f2a915879c0d5e210f3340138ace8c3f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
512KB

MD5
759c682fca9861c8d5d19115246a2058

SHA1
310ffb4e173f48bbab63eeb2b2a4dc035a635b76

SHA256
337c6bac94edd2e6e287f904ed5ca916a99b6a9536d061577da3f5d241973fae

SHA512
9539b6bfa9231bcf68c939d2b21384c6310500844a651546eec4009cf552c4219ab83bb1c88b32438d656081a357cfb2a1eedc36ad14b01b53b128f88f289b08

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
19KB

MD5
dcb319fdf88cb59fde6b7eaed942f0a1

SHA1
6f74cf3a87a099a8c6520ccf9895c4e63d5dae01

SHA256
da06cdad222df54d7011531f61b46f7006756a33dd52205ec8a788b0e376372c

SHA512
45e2e55c6ff8e780667056d3e0acd187dfc606493a9cbef2b288ac479fe8d30902ad6f85e2bf0c8fc2cd6305614abff0c01ab76c9305cce529a54e28c071cc54

Download Submit
memory/2124-40-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/2124-35-0x00000000009E0000-0x0000000000A82000-memory.dmp

Filesize
648KB

Download
memory/3052-36-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/3052-38-0x0000000000740000-0x0000000000784000-memory.dmp

Filesize
272KB

Download
memory/3052-46-0x00000000069C0000-0x0000000006A5C000-memory.dmp

Filesize
624KB

Download
memory/3052-45-0x00000000068D0000-0x0000000006920000-memory.dmp

Filesize
320KB

Download
memory/3052-41-0x0000000005170000-0x00000000051D6000-memory.dmp

Filesize
408KB

Download
memory/3052-42-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/4344-5-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/4344-39-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4344-4-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4344-0-0x0000000000A90000-0x0000000000BE0000-memory.dmp

Filesize
1.3MB

Download
memory/4344-3-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/4344-6-0x0000000005850000-0x00000000059B0000-memory.dmp

Filesize
1.4MB

Download
memory/4344-2-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/4344-1-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/5008-37-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/5008-10-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/5008-7-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/5008-9-0x0000000002F00000-0x0000000002F08000-memory.dmp

Filesize
32KB

Download