agenttesla | d172a99be3a242602683908e636d281504ae75bc8b54b8fa2b22356f445da957

Analysis

max time kernel
103s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe
Size

47KB
MD5

4595983f2279e94a794918f99c08aa12
SHA1

09db508dbafc6baec88cc2a4b810eff2bb4af009
SHA256

d172a99be3a242602683908e636d281504ae75bc8b54b8fa2b22356f445da957
SHA512

a49050f23d8e0a9c49c99be643e881f3081252ddc55377a674963b141a3e1edc0eb709258f75ff976e50fc8505d4a3f581468387386da1e45e30cd64a2c72259
SSDEEP

768:3IfW2do84tle1yvZxHvwsY3uEmu24Ra2DovIieNhIPVQPaq:YfEtl/DwsEh92m7ov0oWh

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.brlcons.com
Port:
587
Username:
[email protected]
Password:
cSPRBgd2

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.brlcons.com
Port:
587
Username:
[email protected]
Password:
cSPRBgd2
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YZbrmyt = "C:\\Users\\Admin\\AppData\\Roaming\\YZbrmyt\\YZbrmyt.exe"	CasPol.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	api.ipify.org
15	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3916 set thread context of 3276	3916	SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3276	CasPol.exe
3276	CasPol.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3916	SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe
Token: SeDebugPrivilege	3276	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3276	CasPol.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 3276	3916	SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe	88
PID 3916 wrote to memory of 3276	3916	SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe	88
PID 3916 wrote to memory of 3276	3916	SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe	88
PID 3916 wrote to memory of 3276	3916	SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe	88
PID 3916 wrote to memory of 3276	3916	SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe	88
PID 3916 wrote to memory of 3276	3916	SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe	88
PID 3916 wrote to memory of 3276	3916	SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe	88
PID 3916 wrote to memory of 3276	3916	SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe	88

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7149.22442.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3276-12-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3276-13-0x0000000005030000-0x0000000005096000-memory.dmp

Filesize
408KB

Download
memory/3276-20-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/3276-11-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3276-19-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3276-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3276-18-0x00000000065D0000-0x00000000065DA000-memory.dmp

Filesize
40KB

Download
memory/3276-17-0x0000000006620000-0x00000000066B2000-memory.dmp

Filesize
584KB

Download
memory/3276-16-0x00000000064E0000-0x000000000657C000-memory.dmp

Filesize
624KB

Download
memory/3276-15-0x00000000063F0000-0x0000000006440000-memory.dmp

Filesize
320KB

Download
memory/3916-4-0x0000000004CE0000-0x0000000004CFA000-memory.dmp

Filesize
104KB

Download
memory/3916-3-0x0000000002610000-0x0000000002618000-memory.dmp

Filesize
32KB

Download
memory/3916-0-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/3916-10-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3916-1-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/3916-7-0x0000000006790000-0x0000000006D34000-memory.dmp

Filesize
5.6MB

Download
memory/3916-6-0x0000000006160000-0x00000000061DC000-memory.dmp

Filesize
496KB

Download
memory/3916-5-0x0000000004CC0000-0x0000000004CC8000-memory.dmp

Filesize
32KB

Download
memory/3916-2-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download