agenttesla | 7c8aaa88dd30f1b0301e3aaf0da58cdea2dfa56c0eb3b35b68123ecdefdf59e9

Analysis

max time kernel
172s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47d09683fc102a85a7dea2516ca81fa3.exe
Size

760KB
MD5

47d09683fc102a85a7dea2516ca81fa3
SHA1

f64cc824abd8804458c3f31f06c16d0bec9338dd
SHA256

848ce511daf9046ab1ab3bed080d5c20bdeb3fd0bebc016fc3af70b892ebb5c9
SHA512

eccff33ade27412be147d7f792ec150f79f0fba322cbf4a2befb46f615a71c578bd15c324c579fdbb9c377f221679cf4a04575c9f8f4814841346a244e80a2a6
SSDEEP

12288:Ro7VntzJOQX040txZp8sNx2HExIWtWrnngnnnKnanxNY:u104SgWtWrnngnnnKnanxN

Score

10^/10

agenttesla purecrypter downloader keylogger loader persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.metalindus.cl
Port:
587
Username:
[email protected]
Password:
metalindus_2019
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral24/memory/4076-3-0x00000000073B0000-0x000000000741C000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	47d09683fc102a85a7dea2516ca81fa3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tyovqojh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iqbhgo\\Tyovqojh.exe\""	47d09683fc102a85a7dea2516ca81fa3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4076 set thread context of 4320	4076	47d09683fc102a85a7dea2516ca81fa3.exe	167

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 20 IoCs

evasion

pid	Process
4704	timeout.exe
3936	timeout.exe
4532	timeout.exe
2208	timeout.exe
5000	timeout.exe
4564	timeout.exe
3832	timeout.exe
1736	timeout.exe
5116	timeout.exe
3976	timeout.exe
1940	timeout.exe
4860	timeout.exe
5088	timeout.exe
3984	timeout.exe
1788	timeout.exe
4660	timeout.exe
3276	timeout.exe
2848	timeout.exe
880	timeout.exe
3960	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4076	47d09683fc102a85a7dea2516ca81fa3.exe
4076	47d09683fc102a85a7dea2516ca81fa3.exe
4320	MSBuild.exe
4320	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	47d09683fc102a85a7dea2516ca81fa3.exe
Token: SeDebugPrivilege	4320	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 5108	4076	47d09683fc102a85a7dea2516ca81fa3.exe	97
PID 4076 wrote to memory of 5108	4076	47d09683fc102a85a7dea2516ca81fa3.exe	97
PID 4076 wrote to memory of 5108	4076	47d09683fc102a85a7dea2516ca81fa3.exe	97
PID 5108 wrote to memory of 2848	5108	cmd.exe	99
PID 5108 wrote to memory of 2848	5108	cmd.exe	99
PID 5108 wrote to memory of 2848	5108	cmd.exe	99
PID 4076 wrote to memory of 4868	4076	47d09683fc102a85a7dea2516ca81fa3.exe	100
PID 4076 wrote to memory of 4868	4076	47d09683fc102a85a7dea2516ca81fa3.exe	100
PID 4076 wrote to memory of 4868	4076	47d09683fc102a85a7dea2516ca81fa3.exe	100
PID 4868 wrote to memory of 5000	4868	cmd.exe	102
PID 4868 wrote to memory of 5000	4868	cmd.exe	102
PID 4868 wrote to memory of 5000	4868	cmd.exe	102
PID 4076 wrote to memory of 3632	4076	47d09683fc102a85a7dea2516ca81fa3.exe	103
PID 4076 wrote to memory of 3632	4076	47d09683fc102a85a7dea2516ca81fa3.exe	103
PID 4076 wrote to memory of 3632	4076	47d09683fc102a85a7dea2516ca81fa3.exe	103
PID 3632 wrote to memory of 4564	3632	cmd.exe	105
PID 3632 wrote to memory of 4564	3632	cmd.exe	105
PID 3632 wrote to memory of 4564	3632	cmd.exe	105
PID 4076 wrote to memory of 4924	4076	47d09683fc102a85a7dea2516ca81fa3.exe	106
PID 4076 wrote to memory of 4924	4076	47d09683fc102a85a7dea2516ca81fa3.exe	106
PID 4076 wrote to memory of 4924	4076	47d09683fc102a85a7dea2516ca81fa3.exe	106
PID 4924 wrote to memory of 3832	4924	cmd.exe	108
PID 4924 wrote to memory of 3832	4924	cmd.exe	108
PID 4924 wrote to memory of 3832	4924	cmd.exe	108
PID 4076 wrote to memory of 4840	4076	47d09683fc102a85a7dea2516ca81fa3.exe	109
PID 4076 wrote to memory of 4840	4076	47d09683fc102a85a7dea2516ca81fa3.exe	109
PID 4076 wrote to memory of 4840	4076	47d09683fc102a85a7dea2516ca81fa3.exe	109
PID 4840 wrote to memory of 5116	4840	cmd.exe	111
PID 4840 wrote to memory of 5116	4840	cmd.exe	111
PID 4840 wrote to memory of 5116	4840	cmd.exe	111
PID 4076 wrote to memory of 4004	4076	47d09683fc102a85a7dea2516ca81fa3.exe	112
PID 4076 wrote to memory of 4004	4076	47d09683fc102a85a7dea2516ca81fa3.exe	112
PID 4076 wrote to memory of 4004	4076	47d09683fc102a85a7dea2516ca81fa3.exe	112
PID 4004 wrote to memory of 4704	4004	cmd.exe	114
PID 4004 wrote to memory of 4704	4004	cmd.exe	114
PID 4004 wrote to memory of 4704	4004	cmd.exe	114
PID 4076 wrote to memory of 4800	4076	47d09683fc102a85a7dea2516ca81fa3.exe	115
PID 4076 wrote to memory of 4800	4076	47d09683fc102a85a7dea2516ca81fa3.exe	115
PID 4076 wrote to memory of 4800	4076	47d09683fc102a85a7dea2516ca81fa3.exe	115
PID 4800 wrote to memory of 880	4800	cmd.exe	117
PID 4800 wrote to memory of 880	4800	cmd.exe	117
PID 4800 wrote to memory of 880	4800	cmd.exe	117
PID 4076 wrote to memory of 4296	4076	47d09683fc102a85a7dea2516ca81fa3.exe	118
PID 4076 wrote to memory of 4296	4076	47d09683fc102a85a7dea2516ca81fa3.exe	118
PID 4076 wrote to memory of 4296	4076	47d09683fc102a85a7dea2516ca81fa3.exe	118
PID 4296 wrote to memory of 3936	4296	cmd.exe	120
PID 4296 wrote to memory of 3936	4296	cmd.exe	120
PID 4296 wrote to memory of 3936	4296	cmd.exe	120
PID 4076 wrote to memory of 1908	4076	47d09683fc102a85a7dea2516ca81fa3.exe	121
PID 4076 wrote to memory of 1908	4076	47d09683fc102a85a7dea2516ca81fa3.exe	121
PID 4076 wrote to memory of 1908	4076	47d09683fc102a85a7dea2516ca81fa3.exe	121
PID 1908 wrote to memory of 3960	1908	cmd.exe	123
PID 1908 wrote to memory of 3960	1908	cmd.exe	123
PID 1908 wrote to memory of 3960	1908	cmd.exe	123
PID 4076 wrote to memory of 2236	4076	47d09683fc102a85a7dea2516ca81fa3.exe	124
PID 4076 wrote to memory of 2236	4076	47d09683fc102a85a7dea2516ca81fa3.exe	124
PID 4076 wrote to memory of 2236	4076	47d09683fc102a85a7dea2516ca81fa3.exe	124
PID 2236 wrote to memory of 4660	2236	cmd.exe	126
PID 2236 wrote to memory of 4660	2236	cmd.exe	126
PID 2236 wrote to memory of 4660	2236	cmd.exe	126
PID 4076 wrote to memory of 3316	4076	47d09683fc102a85a7dea2516ca81fa3.exe	129
PID 4076 wrote to memory of 3316	4076	47d09683fc102a85a7dea2516ca81fa3.exe	129
PID 4076 wrote to memory of 3316	4076	47d09683fc102a85a7dea2516ca81fa3.exe	129
PID 3316 wrote to memory of 4532	3316	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\47d09683fc102a85a7dea2516ca81fa3.exe
"C:\Users\Admin\AppData\Local\Temp\47d09683fc102a85a7dea2516ca81fa3.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:5000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:5116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4704
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4532
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:2208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:5088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  PID:2372
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3976
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  PID:2676
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3276
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  PID:3160
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  PID:4472
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  PID:4404
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 1
  2⤵
  PID:4196
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4076-8-0x0000000001730000-0x0000000001772000-memory.dmp

Filesize
264KB

Download
memory/4076-2-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/4076-9-0x0000000001770000-0x00000000017BC000-memory.dmp

Filesize
304KB

Download
memory/4076-10-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/4076-4-0x0000000007420000-0x0000000007470000-memory.dmp

Filesize
320KB

Download
memory/4076-5-0x0000000007A20000-0x0000000007FC4000-memory.dmp

Filesize
5.6MB

Download
memory/4076-6-0x0000000007520000-0x00000000075B2000-memory.dmp

Filesize
584KB

Download
memory/4076-7-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4076-0-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/4076-1-0x0000000000C70000-0x0000000000D34000-memory.dmp

Filesize
784KB

Download
memory/4076-3-0x00000000073B0000-0x000000000741C000-memory.dmp

Filesize
432KB

Download
memory/4076-16-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/4076-14-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4320-15-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/4320-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4320-17-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/4320-18-0x0000000005570000-0x000000000560C000-memory.dmp

Filesize
624KB

Download
memory/4320-19-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download