agenttesla | 1afe857d1b5f2c0ff48ebbd2f32abf11f9b310416b1273e77adc7ee37f001ff8

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Samples 1/1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
Size

762KB
MD5

3e9a543b85c85a0b808902b0b6cef9b2
SHA1

29d589b838b4e1a5e54a6bfe52da0d5859609865
SHA256

1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695
SHA512

f212b3a2f4c25701df3f41be93c13cf9a6a84e1affd4e8b0f7b9fb5bc0689a1b3a1c55052c99fca314f540199997a8c265f9f447fe8b013a085a199a7fffb3c6
SSDEEP

12288:aHW7TohIU2CoLBPdV+GLBOeUjYb9qUp5jlnRLm5bvL2z4is:a27SELNdYGL8eUjYbMUp5RnRLm5LLw4

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6857395601:AAEr0Ki03_UqNs4qlOxRNOhnjU8odyo6de4/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

Processes:

1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe

description	pid	process	target process
PID 1740 set thread context of 2832	1740	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe

pid	process
2832	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
2832	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe

description pid process

Token: SeDebugPrivilege 2832 1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe

description	pid	process
Token: SeDebugPrivilege	2832	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe

description	pid	process	target process
PID 1740 wrote to memory of 2832	1740	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
PID 1740 wrote to memory of 2832	1740	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
PID 1740 wrote to memory of 2832	1740	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
PID 1740 wrote to memory of 2832	1740	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
PID 1740 wrote to memory of 2832	1740	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
PID 1740 wrote to memory of 2832	1740	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
PID 1740 wrote to memory of 2832	1740	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
PID 1740 wrote to memory of 2832	1740	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
PID 1740 wrote to memory of 2832	1740	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe	1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe

C:\Users\Admin\AppData\Local\Temp\Samples 1\1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
"C:\Users\Admin\AppData\Local\Temp\Samples 1\1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\Samples 1\1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe
  "C:\Users\Admin\AppData\Local\Temp\Samples 1\1d21da7ca3f1105e0fba4c64281c4199a1d2788bf2fd5ed975529e7a7ea6d695.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1740-18-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/1740-0-0x0000000000ED0000-0x0000000000F94000-memory.dmp

Filesize
784KB

Download
memory/1740-2-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/1740-3-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/1740-4-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/1740-5-0x0000000005870000-0x0000000005906000-memory.dmp

Filesize
600KB

Download
memory/1740-1-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2832-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-19-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2832-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2832-10-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-6-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-20-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download