agenttesla | 4d698f4799b7a7fee3105c9d3c1e47fbb0f0d565e547216a52187c5a3438fb15

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 03:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
Size

914KB
MD5

ee17020f12968548b24f4c5f162a767a
SHA1

17ffb97a8d5982952fa36950ded78e980acd37be
SHA256

cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d
SHA512

d99cbcbe2ad0c00a2a393c99f6d607973a7a2bde7e89f8e79a13c0c2b8e8e114d8824846a0de5e46e27c436384357dbcfd3c9b50f63b84983b60c9f425b104d0
SSDEEP

24576:ushkAkeX3B5sr0mFZESjjNrlGWhDyaLzK7:u2LHHjsIkOShlLDyMzK7

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp5ua.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 1 IoCs

pid	Process
456	Vextensions.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vextensions = "C:\\Users\\Admin\\AppData\\Roaming\\Vextensions.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 456 set thread context of 624	456	Vextensions.exe	113

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3296	624	WerFault.exe	113

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
916	PING.EXE
1204	PING.EXE
4976	PING.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
456	Vextensions.exe
456	Vextensions.exe
456	Vextensions.exe
624	InstallUtil.exe
624	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
Token: SeDebugPrivilege	456	Vextensions.exe
Token: SeDebugPrivilege	624	InstallUtil.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 3404	5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe	92
PID 5080 wrote to memory of 3404	5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe	92
PID 5080 wrote to memory of 3404	5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe	92
PID 3404 wrote to memory of 916	3404	cmd.exe	94
PID 3404 wrote to memory of 916	3404	cmd.exe	94
PID 3404 wrote to memory of 916	3404	cmd.exe	94
PID 5080 wrote to memory of 4380	5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe	103
PID 5080 wrote to memory of 4380	5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe	103
PID 5080 wrote to memory of 4380	5080	cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe	103
PID 4380 wrote to memory of 1204	4380	cmd.exe	105
PID 4380 wrote to memory of 1204	4380	cmd.exe	105
PID 4380 wrote to memory of 1204	4380	cmd.exe	105
PID 3404 wrote to memory of 3016	3404	cmd.exe	107
PID 3404 wrote to memory of 3016	3404	cmd.exe	107
PID 3404 wrote to memory of 3016	3404	cmd.exe	107
PID 4380 wrote to memory of 4976	4380	cmd.exe	110
PID 4380 wrote to memory of 4976	4380	cmd.exe	110
PID 4380 wrote to memory of 4976	4380	cmd.exe	110
PID 4380 wrote to memory of 456	4380	cmd.exe	112
PID 4380 wrote to memory of 456	4380	cmd.exe	112
PID 4380 wrote to memory of 456	4380	cmd.exe	112
PID 456 wrote to memory of 624	456	Vextensions.exe	113
PID 456 wrote to memory of 624	456	Vextensions.exe	113
PID 456 wrote to memory of 624	456	Vextensions.exe	113
PID 456 wrote to memory of 624	456	Vextensions.exe	113
PID 456 wrote to memory of 624	456	Vextensions.exe	113
PID 456 wrote to memory of 624	456	Vextensions.exe	113
PID 456 wrote to memory of 624	456	Vextensions.exe	113
PID 456 wrote to memory of 624	456	Vextensions.exe	113

C:\Users\Admin\AppData\Local\Temp\cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe
"C:\Users\Admin\AppData\Local\Temp\cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 29 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Vextensions" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Vextensions.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 29
    3⤵
    - Runs ping.exe
    PID:916
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Vextensions" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Vextensions.exe"
    3⤵
    - Adds Run key to start application
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 27 > nul && copy "C:\Users\Admin\AppData\Local\Temp\cdc07215534b2a013cc2ab666d9a37eaebf478aa389489416159fd7034c2670d.exe" "C:\Users\Admin\AppData\Roaming\Vextensions.exe" && ping 127.0.0.1 -n 27 > nul && "C:\Users\Admin\AppData\Roaming\Vextensions.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 27
    3⤵
    - Runs ping.exe
    PID:1204
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 27
    3⤵
    - Runs ping.exe
    PID:4976
- - C:\Users\Admin\AppData\Roaming\Vextensions.exe
    "C:\Users\Admin\AppData\Roaming\Vextensions.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:624
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 1380
        5⤵
        Program crash
        
        PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 624 -ip 624
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Vextensions.exe

Filesize
462KB

MD5
64e1d0c30ed63cad7c569a7f5cce3344

SHA1
34bfbbbd5301de1c28acff3e7b60f8dcf4480851

SHA256
d0bfb7df297b284c03bec0f06e967df53ed125865888aea24ff0b328da1b63f9

SHA512
929c1c1d3cf5a0e199c7379f0f13e80e51ed765fd7b195bdb93be43bc43c756cedea7ea0d320969710e15a40065e070220aef2c3f48c245273d7608314e30c4e

Download Submit
C:\Users\Admin\AppData\Roaming\Vextensions.exe

Filesize
551KB

MD5
49aaa870630dc5027bece8eb53e3b1c1

SHA1
6ba45c4ff6d700dbe0589d1ae8becc85e7dbf6a2

SHA256
3ef081b582a74467b77e0e9ea9d6f71a51e1476e2d815420fdb361d68fa5f9b1

SHA512
34c2660d379fd3969a5709e33cbf5a57460be9a4042b240fc1abd9d0f7251022fb8b5ed07dd335a6dac10d5deeb558ccdef5fae89c369769ff8951e41437a183

Download Submit
memory/456-25-0x0000000009EE0000-0x0000000009EE6000-memory.dmp

Filesize
24KB

Download
memory/456-19-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/456-22-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/456-23-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/456-18-0x0000000000AD0000-0x0000000000BB4000-memory.dmp

Filesize
912KB

Download
memory/456-29-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/456-20-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/456-21-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/456-24-0x00000000075E0000-0x00000000075FA000-memory.dmp

Filesize
104KB

Download
memory/456-26-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/624-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/624-30-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/624-31-0x0000000004CB0000-0x0000000004CC0000-memory.dmp

Filesize
64KB

Download
memory/624-32-0x0000000004EC0000-0x0000000004F26000-memory.dmp

Filesize
408KB

Download
memory/624-33-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/5080-9-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/5080-0-0x00000000003A0000-0x0000000000484000-memory.dmp

Filesize
912KB

Download
memory/5080-3-0x0000000004CA0000-0x0000000004D32000-memory.dmp

Filesize
584KB

Download
memory/5080-2-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/5080-1-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/5080-12-0x00000000744A0000-0x0000000074C50000-memory.dmp

Filesize
7.7MB

Download
memory/5080-10-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5080-8-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5080-7-0x0000000005D10000-0x0000000005D1A000-memory.dmp

Filesize
40KB

Download
memory/5080-6-0x0000000005B00000-0x0000000005B44000-memory.dmp

Filesize
272KB

Download
memory/5080-5-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/5080-4-0x0000000004D40000-0x0000000004DDC000-memory.dmp

Filesize
624KB

Download