agenttesla | 2b90a753fd2f28c391d607ace21d9477b1b22b213ffc5f541337aea128c98d8b

Analysis

max time kernel
509s
max time network
436s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
10-12-2023 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VC_redist.x64.exe
Size

1.3MB
MD5

1d897c3961ba925a30687d4a496264f4
SHA1

4701e3cfecd6add58fb684f3456c12fbd301ca9a
SHA256

2b90a753fd2f28c391d607ace21d9477b1b22b213ffc5f541337aea128c98d8b
SHA512

7c545b6e466dd7508d02a528aa76c636d54cf9f337c6b150ee8962880a18c9c4bdd6c7f345930fc7448d6ec94735c59bf70b6ba749aa80d4a2d817b0c9c34a04
SSDEEP

24576:UEqFRdngwtlaHxN8KUWVe6tw2wvKhLnGkqjVnlqud+/2P+A6:UEqHdngwwHv5VbtHwlkqXfd+/9A

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/1492-8-0x0000000006970000-0x0000000006B66000-memory.dmp	family_agenttesla

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1492	VC_redist.x64.exe
520	VC_redist.x64.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	VC_redist.x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	VC_redist.x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	VC_redist.x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	VC_redist.x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	VC_redist.x64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe
1492	VC_redist.x64.exe
520	VC_redist.x64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	VC_redist.x64.exe
Token: SeDebugPrivilege	520	VC_redist.x64.exe

C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.exe
"C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.exe
"C:\Users\Admin\AppData\Local\Temp\VC_redist.x64.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-11-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/520-18-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/520-17-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/520-16-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/520-14-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/520-13-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/1492-8-0x0000000006970000-0x0000000006B66000-memory.dmp

Filesize
2.0MB

Download
memory/1492-7-0x00000000067C0000-0x00000000067FC000-memory.dmp

Filesize
240KB

Download
memory/1492-0-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1492-9-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1492-10-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1492-6-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/1492-12-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1492-5-0x00000000050B0000-0x00000000050C2000-memory.dmp

Filesize
72KB

Download
memory/1492-4-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1492-15-0x00000000051D0000-0x00000000051E0000-memory.dmp

Filesize
64KB

Download
memory/1492-3-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/1492-2-0x0000000005790000-0x0000000005D34000-memory.dmp

Filesize
5.6MB

Download
memory/1492-1-0x0000000000590000-0x00000000006D8000-memory.dmp

Filesize
1.3MB

Download