agenttesla | 30dccf81114caa5b3d72bc99e1f428abcea56abfbd795bd2cfa3daad84255ca5

Analysis

max time kernel
139s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 13:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

270KB
MD5

b4dded313fdc038f0c45981a2066eaf9
SHA1

771de00f904c789115929a68b0e26c46ebfaa229
SHA256

30dccf81114caa5b3d72bc99e1f428abcea56abfbd795bd2cfa3daad84255ca5
SHA512

95515bc68bc6c1d558d327031cd2668a1a8926a90a6cae6eb3c8d9cefe240bb3261e7a0937e9ee7f649a5485dacf4f08c46fb7b0706621154da7d4cf156468a5
SSDEEP

3072:GgHGiSaJXXAu627/HmeSnsOGfuyMv9LMegPyii3uMgUHdpZy/BOWBvTyrMRlPnmQ:GgHGuHFRvSfGGyg5Me1p9Jubywn/bD

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.bretoffice.com
Port:
587
Username:
[email protected]
Password:
}&HF=G!r!_eA

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bretoffice.com
Port:
587
Username:
[email protected]
Password:
}&HF=G!r!_eA
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1824 set thread context of 2804	1824	tmp.exe	84

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1824	tmp.exe
1824	tmp.exe
2804	Caspol.exe
2804	Caspol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	tmp.exe
Token: SeDebugPrivilege	2804	Caspol.exe
Token: SeManageVolumePrivilege	1068	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2804	Caspol.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 4708	1824	tmp.exe	83
PID 1824 wrote to memory of 4708	1824	tmp.exe	83
PID 1824 wrote to memory of 4708	1824	tmp.exe	83
PID 1824 wrote to memory of 2804	1824	tmp.exe	84
PID 1824 wrote to memory of 2804	1824	tmp.exe	84
PID 1824 wrote to memory of 2804	1824	tmp.exe	84
PID 1824 wrote to memory of 2804	1824	tmp.exe	84
PID 1824 wrote to memory of 2804	1824	tmp.exe	84
PID 1824 wrote to memory of 2804	1824	tmp.exe	84
PID 1824 wrote to memory of 2804	1824	tmp.exe	84
PID 1824 wrote to memory of 2804	1824	tmp.exe	84

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  PID:4708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2804

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
de71eaebc53e9c6520b9febe0d9a04b4

SHA1
79591c6669390d5e32ef339ef0472ce4ca14a0c7

SHA256
43606000790c4fb453f10900e37b9a1384aad6797ebf26183444f6ed88f6e78a

SHA512
ab682a16a543a5dc844ece9bfbd9e828f49da57d052fac994c56552ee5eecf628711fd6c4bd8b1909deed801845905b1bae69f64786a4f1221085c40db7b45ca

Download Submit
memory/1068-61-0x0000028284430000-0x0000028284431000-memory.dmp

Filesize
4KB

Download
memory/1068-65-0x00000282840C0000-0x00000282840C1000-memory.dmp

Filesize
4KB

Download
memory/1068-60-0x0000028284430000-0x0000028284431000-memory.dmp

Filesize
4KB

Download
memory/1068-59-0x0000028284430000-0x0000028284431000-memory.dmp

Filesize
4KB

Download
memory/1068-58-0x0000028284430000-0x0000028284431000-memory.dmp

Filesize
4KB

Download
memory/1068-87-0x0000028284310000-0x0000028284311000-memory.dmp

Filesize
4KB

Download
memory/1068-52-0x0000028284430000-0x0000028284431000-memory.dmp

Filesize
4KB

Download
memory/1068-86-0x0000028284200000-0x0000028284201000-memory.dmp

Filesize
4KB

Download
memory/1068-85-0x0000028284200000-0x0000028284201000-memory.dmp

Filesize
4KB

Download
memory/1068-83-0x00000282841F0000-0x00000282841F1000-memory.dmp

Filesize
4KB

Download
memory/1068-35-0x00000282FBE40000-0x00000282FBE50000-memory.dmp

Filesize
64KB

Download
memory/1068-56-0x0000028284430000-0x0000028284431000-memory.dmp

Filesize
4KB

Download
memory/1068-71-0x00000282FFF90000-0x00000282FFF91000-memory.dmp

Filesize
4KB

Download
memory/1068-68-0x00000282840B0000-0x00000282840B1000-memory.dmp

Filesize
4KB

Download
memory/1068-51-0x0000028284410000-0x0000028284411000-memory.dmp

Filesize
4KB

Download
memory/1068-55-0x0000028284430000-0x0000028284431000-memory.dmp

Filesize
4KB

Download
memory/1068-63-0x00000282840B0000-0x00000282840B1000-memory.dmp

Filesize
4KB

Download
memory/1068-19-0x00000282FBD40000-0x00000282FBD50000-memory.dmp

Filesize
64KB

Download
memory/1068-54-0x0000028284430000-0x0000028284431000-memory.dmp

Filesize
4KB

Download
memory/1068-62-0x00000282840C0000-0x00000282840C1000-memory.dmp

Filesize
4KB

Download
memory/1068-57-0x0000028284430000-0x0000028284431000-memory.dmp

Filesize
4KB

Download
memory/1068-53-0x0000028284430000-0x0000028284431000-memory.dmp

Filesize
4KB

Download
memory/1824-2-0x00007FFD85C10000-0x00007FFD866D1000-memory.dmp

Filesize
10.8MB

Download
memory/1824-0-0x000001B872000000-0x000001B872046000-memory.dmp

Filesize
280KB

Download
memory/1824-1-0x000001B872450000-0x000001B872490000-memory.dmp

Filesize
256KB

Download
memory/1824-8-0x00007FFD85C10000-0x00007FFD866D1000-memory.dmp

Filesize
10.8MB

Download
memory/1824-5-0x000001B872410000-0x000001B87241A000-memory.dmp

Filesize
40KB

Download
memory/1824-4-0x000001B872420000-0x000001B872430000-memory.dmp

Filesize
64KB

Download
memory/1824-3-0x000001B8723F0000-0x000001B8723F6000-memory.dmp

Filesize
24KB

Download
memory/2804-12-0x0000000005080000-0x00000000050E6000-memory.dmp

Filesize
408KB

Download
memory/2804-16-0x0000000006500000-0x000000000650A000-memory.dmp

Filesize
40KB

Download
memory/2804-18-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2804-17-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/2804-15-0x0000000006550000-0x00000000065E2000-memory.dmp

Filesize
584KB

Download
memory/2804-14-0x0000000006090000-0x000000000612C000-memory.dmp

Filesize
624KB

Download
memory/2804-13-0x0000000005E40000-0x0000000005E90000-memory.dmp

Filesize
320KB

Download
memory/2804-11-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/2804-10-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/2804-9-0x0000000074F80000-0x0000000075730000-memory.dmp

Filesize
7.7MB

Download
memory/2804-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download