agenttesla | fa693795580f8dcef4e2ba8415d3564a07ac8003bce39cb8d5bcf56c41bfac53

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CATALOG DESIGN SAMPLE.pdf.exe
Size

893KB
MD5

3bfaae0b4bea0b36968b40a08bdb0d85
SHA1

d967799713af81d2cf41521bc83743527179ed17
SHA256

0df26b825268eef7d7f14c5e4d01b554662033aaff921d055e35dccef79bd536
SHA512

eeebf033b35b4a130d0bbaa300c4ab0b9700368716ef8cb144b2508112a6c15bcf4d7fcacbf7c4ce291aec1bcaeb01a60eb717d5cf3504cc8103134fb3430508
SSDEEP

12288:wgIdCFdSZHZ/vEUsHWihc7Ax6zGGYvo9eHajD2O9RPxMza9PlfAwU0sOjVwAXCE5:XYYSZ5/vWW7WGYvYD7iulDTV5UETmbat

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6331768257:AAE1Rrc3F4A-nTJkfXEukNBriTate8i72L8/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 1 IoCs

pid	Process
2644	PO.exe

Loads dropped DLL 4 IoCs

pid	Process
2200	CATALOG DESIGN SAMPLE.pdf.exe
2200	CATALOG DESIGN SAMPLE.pdf.exe
2200	CATALOG DESIGN SAMPLE.pdf.exe
2200	CATALOG DESIGN SAMPLE.pdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 1816	2644	PO.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2644	PO.exe
2644	PO.exe
2892	powershell.exe
2480	powershell.exe
2644	PO.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	PO.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1732	DllHost.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2644	2200	CATALOG DESIGN SAMPLE.pdf.exe	29
PID 2200 wrote to memory of 2644	2200	CATALOG DESIGN SAMPLE.pdf.exe	29
PID 2200 wrote to memory of 2644	2200	CATALOG DESIGN SAMPLE.pdf.exe	29
PID 2200 wrote to memory of 2644	2200	CATALOG DESIGN SAMPLE.pdf.exe	29
PID 2644 wrote to memory of 2480	2644	PO.exe	32
PID 2644 wrote to memory of 2480	2644	PO.exe	32
PID 2644 wrote to memory of 2480	2644	PO.exe	32
PID 2644 wrote to memory of 2480	2644	PO.exe	32
PID 2644 wrote to memory of 2892	2644	PO.exe	34
PID 2644 wrote to memory of 2892	2644	PO.exe	34
PID 2644 wrote to memory of 2892	2644	PO.exe	34
PID 2644 wrote to memory of 2892	2644	PO.exe	34
PID 2644 wrote to memory of 2880	2644	PO.exe	36
PID 2644 wrote to memory of 2880	2644	PO.exe	36
PID 2644 wrote to memory of 2880	2644	PO.exe	36
PID 2644 wrote to memory of 2880	2644	PO.exe	36
PID 2644 wrote to memory of 1816	2644	PO.exe	38
PID 2644 wrote to memory of 1816	2644	PO.exe	38
PID 2644 wrote to memory of 1816	2644	PO.exe	38
PID 2644 wrote to memory of 1816	2644	PO.exe	38
PID 2644 wrote to memory of 1816	2644	PO.exe	38
PID 2644 wrote to memory of 1816	2644	PO.exe	38
PID 2644 wrote to memory of 1816	2644	PO.exe	38
PID 2644 wrote to memory of 1816	2644	PO.exe	38
PID 2644 wrote to memory of 1816	2644	PO.exe	38
PID 2644 wrote to memory of 1816	2644	PO.exe	38
PID 2644 wrote to memory of 1816	2644	PO.exe	38
PID 2644 wrote to memory of 1816	2644	PO.exe	38

C:\Users\Admin\AppData\Local\Temp\CATALOG DESIGN SAMPLE.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\CATALOG DESIGN SAMPLE.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SwzDueaHtRTkp.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SwzDueaHtRTkp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDDF0.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1816

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
639KB

MD5
d2b56f5b8cd68e9e0bedd52c6388cc94

SHA1
be8bcf014c65911fd8102227a83ff21b8402de3d

SHA256
fa2374337296dd2ef87a8c44144b41ef39f789273d5d356ce2c6391e2c7f49a1

SHA512
b8d7285c607448e4865ce3bfb7438523f0fe1a7f75580811c26d58b63c6fb7fd00730fd253abdfa019f5f29167b31dc3be22677f0d948a7d11d8e28f6d0c306d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
639KB

MD5
d2b56f5b8cd68e9e0bedd52c6388cc94

SHA1
be8bcf014c65911fd8102227a83ff21b8402de3d

SHA256
fa2374337296dd2ef87a8c44144b41ef39f789273d5d356ce2c6391e2c7f49a1

SHA512
b8d7285c607448e4865ce3bfb7438523f0fe1a7f75580811c26d58b63c6fb7fd00730fd253abdfa019f5f29167b31dc3be22677f0d948a7d11d8e28f6d0c306d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
639KB

MD5
d2b56f5b8cd68e9e0bedd52c6388cc94

SHA1
be8bcf014c65911fd8102227a83ff21b8402de3d

SHA256
fa2374337296dd2ef87a8c44144b41ef39f789273d5d356ce2c6391e2c7f49a1

SHA512
b8d7285c607448e4865ce3bfb7438523f0fe1a7f75580811c26d58b63c6fb7fd00730fd253abdfa019f5f29167b31dc3be22677f0d948a7d11d8e28f6d0c306d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg

Filesize
83KB

MD5
016025125f3b479aaabf8a4246073856

SHA1
123cf64214f2ba96dedc076d388ddf60d2ec5ce5

SHA256
39f3195908d56ee6d4d0f6484c913bbb268e934121856c590b397bbf7a3573ca

SHA512
4c83f010593e2ec86de367653a0c03aad7a41d1a7f6e26e302666ee81b6f4f4841e3395a026856e35ba9d092ef530af0756b4adb13e944dd7a0d5d5b64ddc62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDF0.tmp

Filesize
1KB

MD5
d65f5e7c03d843deeed0f15b7ac32179

SHA1
51b6b274162443e26da9371650fda64a3fde063a

SHA256
c08a89ed36fe2827fb42f8dd313d65a117b597bc6b3ff91e6021d6555985064b

SHA512
27f5ee6c9d45935a46642184c957b1d2429933c3158c6a412bda602b65324a6405564d7dc4721a186957db0ad94785b2e6ff5d65077a354f833f1f1561170fe6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R5NXVZG0PNIUD35QIZXU.temp

Filesize
7KB

MD5
ea4941919248dac0c719e38815418564

SHA1
73023f550a8c73f726e54036eede5eec3e42c101

SHA256
d1871d5aae21b54b094179db0beb8e4a89d2d87f571b8d2512f32dacd1c4ec4c

SHA512
a3a4bb13b38ac9cb7ab8245e738483fb7b4a039601bd694ad5888dd773bd1582c2f5375c9bfc0f110f6fa7726d778af466320325d34e0802e1bbd1fc7d42641e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ea4941919248dac0c719e38815418564

SHA1
73023f550a8c73f726e54036eede5eec3e42c101

SHA256
d1871d5aae21b54b094179db0beb8e4a89d2d87f571b8d2512f32dacd1c4ec4c

SHA512
a3a4bb13b38ac9cb7ab8245e738483fb7b4a039601bd694ad5888dd773bd1582c2f5375c9bfc0f110f6fa7726d778af466320325d34e0802e1bbd1fc7d42641e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
639KB

MD5
d2b56f5b8cd68e9e0bedd52c6388cc94

SHA1
be8bcf014c65911fd8102227a83ff21b8402de3d

SHA256
fa2374337296dd2ef87a8c44144b41ef39f789273d5d356ce2c6391e2c7f49a1

SHA512
b8d7285c607448e4865ce3bfb7438523f0fe1a7f75580811c26d58b63c6fb7fd00730fd253abdfa019f5f29167b31dc3be22677f0d948a7d11d8e28f6d0c306d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
639KB

MD5
d2b56f5b8cd68e9e0bedd52c6388cc94

SHA1
be8bcf014c65911fd8102227a83ff21b8402de3d

SHA256
fa2374337296dd2ef87a8c44144b41ef39f789273d5d356ce2c6391e2c7f49a1

SHA512
b8d7285c607448e4865ce3bfb7438523f0fe1a7f75580811c26d58b63c6fb7fd00730fd253abdfa019f5f29167b31dc3be22677f0d948a7d11d8e28f6d0c306d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
639KB

MD5
d2b56f5b8cd68e9e0bedd52c6388cc94

SHA1
be8bcf014c65911fd8102227a83ff21b8402de3d

SHA256
fa2374337296dd2ef87a8c44144b41ef39f789273d5d356ce2c6391e2c7f49a1

SHA512
b8d7285c607448e4865ce3bfb7438523f0fe1a7f75580811c26d58b63c6fb7fd00730fd253abdfa019f5f29167b31dc3be22677f0d948a7d11d8e28f6d0c306d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Filesize
639KB

MD5
d2b56f5b8cd68e9e0bedd52c6388cc94

SHA1
be8bcf014c65911fd8102227a83ff21b8402de3d

SHA256
fa2374337296dd2ef87a8c44144b41ef39f789273d5d356ce2c6391e2c7f49a1

SHA512
b8d7285c607448e4865ce3bfb7438523f0fe1a7f75580811c26d58b63c6fb7fd00730fd253abdfa019f5f29167b31dc3be22677f0d948a7d11d8e28f6d0c306d

Download Submit
memory/1732-26-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1732-5-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1732-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1816-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1816-51-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1816-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1816-50-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1816-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1816-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1816-49-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2200-4-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/2480-55-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/2480-52-0x000000006E520000-0x000000006EACB000-memory.dmp

Filesize
5.7MB

Download
memory/2480-63-0x000000006E520000-0x000000006EACB000-memory.dmp

Filesize
5.7MB

Download
memory/2480-44-0x000000006E520000-0x000000006EACB000-memory.dmp

Filesize
5.7MB

Download
memory/2480-46-0x0000000002310000-0x0000000002350000-memory.dmp

Filesize
256KB

Download
memory/2644-21-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/2644-31-0x0000000005EE0000-0x0000000005F5C000-memory.dmp

Filesize
496KB

Download
memory/2644-30-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2644-29-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/2644-28-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2644-27-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/2644-25-0x00000000004C0000-0x00000000004D8000-memory.dmp

Filesize
96KB

Download
memory/2644-24-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2644-60-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/2644-22-0x0000000000C80000-0x0000000000D26000-memory.dmp

Filesize
664KB

Download
memory/2892-45-0x000000006E520000-0x000000006EACB000-memory.dmp

Filesize
5.7MB

Download
memory/2892-54-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/2892-64-0x000000006E520000-0x000000006EACB000-memory.dmp

Filesize
5.7MB

Download