agenttesla | 5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe
Size

1.3MB
MD5

0a70e5f93e5f292c9a2efd52d1ee8dc2
SHA1

273567963735242d870a11958a5b74e285a30e91
SHA256

5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf
SHA512

16a3876a1d51c4eedd4a95f2e0d3bb5738e5d8c0751147032b7c49f10be6064d12412408b239d7a9624373f57ff302a798a8fc4c9beffc3b4ac56c06afe1ba9b
SSDEEP

24576:2GkO2IKvDUpVdtbeo91PqUSSsZfUOA0w3IrBF8hEto7Fooi/Szd0inUa:Ff2lvDUpXtH91Pf8TAbOF6UUFCKR0GU

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.dnz.com.tr
Port:
587
Username:
[email protected]
Password:
deceze2404
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2000 set thread context of 2940	2000	5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2940	CasPol.exe
2940	CasPol.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	CasPol.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 2940	2000	5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe	28
PID 2000 wrote to memory of 2940	2000	5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe	28
PID 2000 wrote to memory of 2940	2000	5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe	28
PID 2000 wrote to memory of 2940	2000	5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe	28
PID 2000 wrote to memory of 2940	2000	5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe	28
PID 2000 wrote to memory of 2940	2000	5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe	28
PID 2000 wrote to memory of 2940	2000	5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe	28
PID 2000 wrote to memory of 2940	2000	5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe	28
PID 2000 wrote to memory of 2940	2000	5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe	28

C:\Users\Admin\AppData\Local\Temp\5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe
"C:\Users\Admin\AppData\Local\Temp\5ac748c4345cd88fffdb3b3cfce48b2696f6b2473c06ffac3d2bb51a76ec11bf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-0-0x0000000000890000-0x00000000009D6000-memory.dmp

Filesize
1.3MB

Download
memory/2000-1-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/2000-2-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/2000-3-0x0000000000430000-0x000000000045C000-memory.dmp

Filesize
176KB

Download
memory/2000-4-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download
memory/2000-5-0x00000000049B0000-0x0000000004A2E000-memory.dmp

Filesize
504KB

Download
memory/2000-6-0x00000000003E0000-0x00000000003E9000-memory.dmp

Filesize
36KB

Download
memory/2000-7-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/2000-8-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/2000-9-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/2000-10-0x0000000004DC0000-0x00000000054AE000-memory.dmp

Filesize
6.9MB

Download
memory/2000-11-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2000-12-0x0000000000430000-0x0000000000468000-memory.dmp

Filesize
224KB

Download
memory/2000-13-0x0000000004A10000-0x0000000004A90000-memory.dmp

Filesize
512KB

Download
memory/2000-14-0x0000000000430000-0x000000000044F000-memory.dmp

Filesize
124KB

Download
memory/2000-15-0x00000000003E0000-0x00000000003ED000-memory.dmp

Filesize
52KB

Download
memory/2000-16-0x0000000000430000-0x0000000000448000-memory.dmp

Filesize
96KB

Download
memory/2000-17-0x0000000000430000-0x0000000000458000-memory.dmp

Filesize
160KB

Download
memory/2000-18-0x0000000004DC0000-0x0000000004EA8000-memory.dmp

Filesize
928KB

Download
memory/2000-19-0x0000000004DC0000-0x0000000004E83000-memory.dmp

Filesize
780KB

Download
memory/2000-20-0x0000000000430000-0x0000000000467000-memory.dmp

Filesize
220KB

Download
memory/2000-21-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/2000-22-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/2000-23-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2000-24-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2000-25-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2000-26-0x0000000000430000-0x0000000000448000-memory.dmp

Filesize
96KB

Download
memory/2000-27-0x0000000004DC0000-0x0000000004F1A000-memory.dmp

Filesize
1.4MB

Download
memory/2000-28-0x0000000004DC0000-0x0000000004E64000-memory.dmp

Filesize
656KB

Download
memory/2000-29-0x0000000000430000-0x000000000044A000-memory.dmp

Filesize
104KB

Download
memory/2000-30-0x0000000004DC0000-0x0000000004EE2000-memory.dmp

Filesize
1.1MB

Download
memory/2000-31-0x0000000000720000-0x0000000000764000-memory.dmp

Filesize
272KB

Download
memory/2000-32-0x0000000004A10000-0x0000000004A86000-memory.dmp

Filesize
472KB

Download
memory/2000-33-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2000-34-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/2000-35-0x00000000005A0000-0x00000000005D0000-memory.dmp

Filesize
192KB

Download
memory/2000-36-0x0000000004DC0000-0x0000000004E7A000-memory.dmp

Filesize
744KB

Download
memory/2000-37-0x0000000004E80000-0x0000000004F3A000-memory.dmp

Filesize
744KB

Download
memory/2000-38-0x0000000004A10000-0x0000000004A70000-memory.dmp

Filesize
384KB

Download
memory/2000-39-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/2000-40-0x0000000005040000-0x0000000005309000-memory.dmp

Filesize
2.8MB

Download
memory/2000-41-0x00000000005C0000-0x00000000005DE000-memory.dmp

Filesize
120KB

Download
memory/2000-42-0x0000000000620000-0x000000000063E000-memory.dmp

Filesize
120KB

Download
memory/2000-43-0x0000000004A10000-0x0000000004A8C000-memory.dmp

Filesize
496KB

Download
memory/2000-44-0x0000000004DC0000-0x0000000004E3C000-memory.dmp

Filesize
496KB

Download
memory/2000-45-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download
memory/2000-46-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2000-47-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/2000-48-0x00000000005D0000-0x00000000005DE000-memory.dmp

Filesize
56KB

Download
memory/2000-49-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2000-50-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/2000-51-0x0000000000720000-0x0000000000742000-memory.dmp

Filesize
136KB

Download
memory/2000-52-0x0000000000750000-0x0000000000772000-memory.dmp

Filesize
136KB

Download
memory/2000-53-0x0000000000720000-0x0000000000739000-memory.dmp

Filesize
100KB

Download
memory/2000-54-0x0000000005040000-0x000000000518F000-memory.dmp

Filesize
1.3MB

Download
memory/2000-55-0x0000000005040000-0x000000000515F000-memory.dmp

Filesize
1.1MB

Download
memory/2000-56-0x0000000004A10000-0x0000000004A8D000-memory.dmp

Filesize
500KB

Download
memory/2000-57-0x0000000000720000-0x0000000000726000-memory.dmp

Filesize
24KB

Download
memory/2000-58-0x0000000005500000-0x0000000005A62000-memory.dmp

Filesize
5.4MB

Download
memory/2000-59-0x0000000000720000-0x0000000000736000-memory.dmp

Filesize
88KB

Download
memory/2000-60-0x0000000000720000-0x0000000000746000-memory.dmp

Filesize
152KB

Download
memory/2000-61-0x0000000004A10000-0x0000000004A6F000-memory.dmp

Filesize
380KB

Download
memory/2000-62-0x0000000000720000-0x000000000073A000-memory.dmp

Filesize
104KB

Download
memory/2000-63-0x0000000000720000-0x0000000000727000-memory.dmp

Filesize
28KB

Download
memory/2940-396-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2940-398-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2940-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download