agenttesla | 6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2023 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
Size

676KB
MD5

86c92625a06644590f8f93f6aa5669db
SHA1

eceab13ad2b687af069dd80a60f714dd345d019c
SHA256

6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876
SHA512

2f04e694216d52ee2ccab165067d14641993d1fc770736d8a813e8cdff82729e1eefc5e8945b6dfd65e9166ba227139b1c35c3742e3e56bcdd5f4392e3a5957d
SSDEEP

12288:4v26JAeIIn3gXWRadHKP5jaLEPkyndhv0x5blcAciPGK:G26JA4MW+KP5jaLEHndhvY53DG

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
29ftOO+6H-ivsG5A
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe

description	pid	process	target process
PID 4732 set thread context of 64	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4860 64 WerFault.exe RegSvcs.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3716 schtasks.exe

pid	pid_target	process	target process
4860	64	WerFault.exe	RegSvcs.exe

pid	process
3716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
4316	powershell.exe
632	powershell.exe
4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
64	RegSvcs.exe
64	RegSvcs.exe
632	powershell.exe
4316	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	64	RegSvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe

description	pid	process	target process
PID 4732 wrote to memory of 632	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	powershell.exe
PID 4732 wrote to memory of 632	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	powershell.exe
PID 4732 wrote to memory of 632	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	powershell.exe
PID 4732 wrote to memory of 4316	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	powershell.exe
PID 4732 wrote to memory of 4316	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	powershell.exe
PID 4732 wrote to memory of 4316	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	powershell.exe
PID 4732 wrote to memory of 3716	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	schtasks.exe
PID 4732 wrote to memory of 3716	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	schtasks.exe
PID 4732 wrote to memory of 3716	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	schtasks.exe
PID 4732 wrote to memory of 3216	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 3216	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 3216	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 3940	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 3940	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 3940	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 64	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 64	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 64	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 64	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 64	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 64	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 64	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe
PID 4732 wrote to memory of 64	4732	6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
"C:\Users\Admin\AppData\Local\Temp\6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dUtDhaePto.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUtDhaePto" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB3D.tmp"
2⤵
- Creates scheduled task(s)
PID:3716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1420
3⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 64 -ip 64
1⤵
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fb70d01e4e545da7c5624ebae8d57d3b

SHA1
b8f49749d7db5861a11d2b15895ca4f54fa7ca77

SHA256
dd29a36158b81fa3bf406b3e5c0054500eeab4f157a9e769ac1c61b81c0b771a

SHA512
c74ca8b42cd79ff0657af3e3ce4c75d9c4c6a9252615e8529c0b970d6de17ced3ebc26de4b202ab9c74952c1d2a2cd66cbc350e8ad0d499c8edd8b6ab201a0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tbi3xuol.rem.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDB3D.tmp

Filesize
1KB

MD5
349e096f819e74cbe24adf2866f7d888

SHA1
0e2e8f219e68d41343d61c4fb9382a15aedbda5d

SHA256
d0fae1ad38ef1bf5565f0a347ba6ab2626c3f8bd5b5ab0b859660db50e000c11

SHA512
265bb3af6fb7ff2318460caea6bb90963a8879e82b335f499a775abd4f98aaf6ac3d17b4be9d9c52f7b5b37085cfbcb2f6ae588219ffaa52a1a4c66dde7bb042

Download Submit
memory/64-96-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/64-49-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/64-29-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/64-26-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/632-50-0x0000000006130000-0x0000000006196000-memory.dmp

Filesize
408KB

Download
memory/632-35-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/632-95-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/632-15-0x0000000002D40000-0x0000000002D76000-memory.dmp

Filesize
216KB

Download
memory/632-85-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

Filesize
56KB

Download
memory/632-17-0x0000000005990000-0x0000000005FB8000-memory.dmp

Filesize
6.2MB

Download
memory/632-18-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/632-83-0x0000000007C20000-0x0000000007CB6000-memory.dmp

Filesize
600KB

Download
memory/632-81-0x00000000079A0000-0x00000000079BA000-memory.dmp

Filesize
104KB

Download
memory/632-19-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/632-22-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/632-80-0x0000000007FF0000-0x000000000866A000-memory.dmp

Filesize
6.5MB

Download
memory/632-68-0x0000000007850000-0x00000000078F3000-memory.dmp

Filesize
652KB

Download
memory/632-67-0x0000000006C30000-0x0000000006C4E000-memory.dmp

Filesize
120KB

Download
memory/632-57-0x0000000075640000-0x000000007568C000-memory.dmp

Filesize
304KB

Download
memory/632-56-0x0000000007810000-0x0000000007842000-memory.dmp

Filesize
200KB

Download
memory/632-55-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/632-54-0x0000000006710000-0x000000000675C000-memory.dmp

Filesize
304KB

Download
memory/632-53-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/4316-82-0x0000000007250000-0x000000000725A000-memory.dmp

Filesize
40KB

Download
memory/4316-86-0x0000000007420000-0x0000000007434000-memory.dmp

Filesize
80KB

Download
memory/4316-52-0x0000000005B30000-0x0000000005E84000-memory.dmp

Filesize
3.3MB

Download
memory/4316-94-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/4316-88-0x0000000007500000-0x0000000007508000-memory.dmp

Filesize
32KB

Download
memory/4316-87-0x0000000007520000-0x000000000753A000-memory.dmp

Filesize
104KB

Download
memory/4316-84-0x00000000073E0000-0x00000000073F1000-memory.dmp

Filesize
68KB

Download
memory/4316-27-0x0000000004F40000-0x0000000004F62000-memory.dmp

Filesize
136KB

Download
memory/4316-20-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4316-25-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/4316-21-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4316-70-0x0000000075640000-0x000000007568C000-memory.dmp

Filesize
304KB

Download
memory/4316-69-0x000000007FA20000-0x000000007FA30000-memory.dmp

Filesize
64KB

Download
memory/4732-4-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/4732-8-0x0000000005950000-0x000000000595A000-memory.dmp

Filesize
40KB

Download
memory/4732-9-0x0000000006C80000-0x0000000006CFA000-memory.dmp

Filesize
488KB

Download
memory/4732-7-0x0000000005940000-0x0000000005948000-memory.dmp

Filesize
32KB

Download
memory/4732-6-0x0000000005930000-0x0000000005946000-memory.dmp

Filesize
88KB

Download
memory/4732-16-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/4732-23-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/4732-5-0x00000000056C0000-0x00000000056CA000-memory.dmp

Filesize
40KB

Download
memory/4732-2-0x0000000005CD0000-0x0000000006274000-memory.dmp

Filesize
5.6MB

Download
memory/4732-3-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/4732-0-0x0000000000C20000-0x0000000000CCE000-memory.dmp

Filesize
696KB

Download
memory/4732-51-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/4732-10-0x00000000095D0000-0x000000000966C000-memory.dmp

Filesize
624KB

Download
memory/4732-1-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download