agenttesla | 5cf604ed1b9d5d18625e82b4e727e1fa12b1a3eaf9dde01e3d36103e1d532bbd

Analysis

max time kernel
127s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2023 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PRE ALERT NOTICE.exe
Size

740KB
MD5

84d6854899e7c442c48d8852b3494b71
SHA1

077936c86a4ef360e92c3733abfc6633193d9583
SHA256

8bbed58c768c4123970a67377ef324e3395883269bdc99a5bf97853eb551d70a
SHA512

369d27e20ee777c5d8bb843fbb75e4174cd930df50dceab52c6feae5500542d000f2a2eb278b6cb6574cdbf9c7202b58e0b54b0c5c8e6a0e1780325216729fc3
SSDEEP

12288:s1CFpELXGkJldiJxzHxOz6Awe/DpDpCrUkIP1CLmZD+9Km87XvauYqD8J:s1CFpQ2k7CH0z6ALphkIkLUD+9Kf7XyJ

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.amtechcards.com
Port:
587
Username:
[email protected]
Password:
puuAt8;(Y$NU
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	api.ipify.org
47	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3496 set thread context of 1400	3496	PRE ALERT NOTICE.exe	98

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2116	1400	WerFault.exe	98

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3496	PRE ALERT NOTICE.exe
3496	PRE ALERT NOTICE.exe
1400	RegSvcs.exe
1400	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	PRE ALERT NOTICE.exe
Token: SeDebugPrivilege	1400	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 1400	3496	PRE ALERT NOTICE.exe	98
PID 3496 wrote to memory of 1400	3496	PRE ALERT NOTICE.exe	98
PID 3496 wrote to memory of 1400	3496	PRE ALERT NOTICE.exe	98
PID 3496 wrote to memory of 1400	3496	PRE ALERT NOTICE.exe	98
PID 3496 wrote to memory of 1400	3496	PRE ALERT NOTICE.exe	98
PID 3496 wrote to memory of 1400	3496	PRE ALERT NOTICE.exe	98
PID 3496 wrote to memory of 1400	3496	PRE ALERT NOTICE.exe	98
PID 3496 wrote to memory of 1400	3496	PRE ALERT NOTICE.exe	98

C:\Users\Admin\AppData\Local\Temp\PRE ALERT NOTICE.exe
"C:\Users\Admin\AppData\Local\Temp\PRE ALERT NOTICE.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 2000
    3⤵
    - Program crash
    PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1400 -ip 1400
1⤵
PID:4004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1400-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1400-17-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/1400-16-0x0000000004F60000-0x0000000004FC6000-memory.dmp

Filesize
408KB

Download
memory/1400-15-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1400-14-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/3496-4-0x00000000059F0000-0x0000000005A00000-memory.dmp

Filesize
64KB

Download
memory/3496-6-0x0000000005A00000-0x0000000005A9C000-memory.dmp

Filesize
624KB

Download
memory/3496-7-0x0000000005D30000-0x0000000005D48000-memory.dmp

Filesize
96KB

Download
memory/3496-8-0x00000000059E0000-0x00000000059E6000-memory.dmp

Filesize
24KB

Download
memory/3496-9-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/3496-10-0x0000000006D40000-0x0000000006DC8000-memory.dmp

Filesize
544KB

Download
memory/3496-5-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/3496-0-0x0000000000CD0000-0x0000000000D90000-memory.dmp

Filesize
768KB

Download
memory/3496-13-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/3496-3-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/3496-2-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/3496-1-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download