agenttesla | 05153d2248e5df1b394ef03a5736f209e3bb4eec5cd88ac710d4a56e4eef3183

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2023, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SHIPPING DOCUMENTS#202993.exe
Size

683KB
MD5

6adb7b71640a2f11f8144693e2b15d41
SHA1

38c3551a6b02c88e793f37b29a522071100bced6
SHA256

b5cd63c5fec95f16d9c11ca726e0bad76d52eb122a6458b3940d5dd94d3a7dfb
SHA512

d5a6bca0366b1aed4c03f70defc319e70932c18d9ca89183f08479aa8d306532a50f3e06a08fe4182ae0e86e2980b5971940dca75a5a397f48da5e26d4664c30
SSDEEP

12288:C4ueH5qfhisCn/zzGAfjmT0HHy5Jvjgbsfc1DhpYChjAVejJI:PqZxwG4jmT0H6Vjgbcc1Dhpbac

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.amtechcards.com
Port:
587
Username:
[email protected]
Password:
puuAt8;(Y$NU
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	api.ipify.org
24	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4012 set thread context of 3488	4012	SHIPPING DOCUMENTS#202993.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3068	3488	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4012	SHIPPING DOCUMENTS#202993.exe
4012	SHIPPING DOCUMENTS#202993.exe
3488	RegSvcs.exe
3488	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	SHIPPING DOCUMENTS#202993.exe
Token: SeDebugPrivilege	3488	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 3488	4012	SHIPPING DOCUMENTS#202993.exe	89
PID 4012 wrote to memory of 3488	4012	SHIPPING DOCUMENTS#202993.exe	89
PID 4012 wrote to memory of 3488	4012	SHIPPING DOCUMENTS#202993.exe	89
PID 4012 wrote to memory of 3488	4012	SHIPPING DOCUMENTS#202993.exe	89
PID 4012 wrote to memory of 3488	4012	SHIPPING DOCUMENTS#202993.exe	89
PID 4012 wrote to memory of 3488	4012	SHIPPING DOCUMENTS#202993.exe	89
PID 4012 wrote to memory of 3488	4012	SHIPPING DOCUMENTS#202993.exe	89
PID 4012 wrote to memory of 3488	4012	SHIPPING DOCUMENTS#202993.exe	89

C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS#202993.exe
"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS#202993.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 2008
    3⤵
    - Program crash
    PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3488 -ip 3488
1⤵
PID:4684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3488-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3488-17-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/3488-16-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/3488-15-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/3488-14-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/4012-8-0x0000000006CE0000-0x0000000006CEA000-memory.dmp

Filesize
40KB

Download
memory/4012-6-0x0000000005DB0000-0x0000000005DCA000-memory.dmp

Filesize
104KB

Download
memory/4012-7-0x0000000006CC0000-0x0000000006CC8000-memory.dmp

Filesize
32KB

Download
memory/4012-1-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/4012-9-0x0000000007330000-0x00000000073AA000-memory.dmp

Filesize
488KB

Download
memory/4012-10-0x00000000098F0000-0x000000000998C000-memory.dmp

Filesize
624KB

Download
memory/4012-5-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

Filesize
40KB

Download
memory/4012-13-0x0000000075370000-0x0000000075B20000-memory.dmp

Filesize
7.7MB

Download
memory/4012-4-0x0000000005D10000-0x0000000005D20000-memory.dmp

Filesize
64KB

Download
memory/4012-3-0x0000000005B00000-0x0000000005B92000-memory.dmp

Filesize
584KB

Download
memory/4012-2-0x0000000006010000-0x00000000065B4000-memory.dmp

Filesize
5.6MB

Download
memory/4012-0-0x0000000000FD0000-0x0000000001082000-memory.dmp

Filesize
712KB

Download