agenttesla | 198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab

Analysis

max time kernel
104s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 03:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe
Size

51KB
MD5

44ef67d36591a9919537dcb1b3eab620
SHA1

516207d3cad0715fcb2b97d972273529861a5620
SHA256

198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab
SHA512

9642d0a069e55c722d48a768672772a484b52c1e7c7fe4e3df41d4fe8d3b172de3b35e7a195f527ed3bbf511c2d38f1e4593ec4c470270da661879792e5fa26a
SSDEEP

1536:m9GoybjmKenUVriynW539+E//2djZEQbh+5tjO1:m9GxqnmeyS39+Y/YEQbh+5JO1

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.pension-sofia.gr
Port:
587
Username:
[email protected]
Password:
Y%~^fY0,&=p$

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.pension-sofia.gr
Port:
587
Username:
[email protected]
Password:
Y%~^fY0,&=p$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs

resource	yara_rule
behavioral2/memory/2724-9-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF 1 IoCs

resource	yara_rule
behavioral2/memory/3556-8-0x0000000008040000-0x000000000813A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
behavioral2/memory/2724-9-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs

resource	yara_rule
behavioral2/memory/2724-9-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs

resource	yara_rule
behavioral2/memory/3556-8-0x0000000008040000-0x000000000813A000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables embedding command execution via IExecuteCommand COM object 1 IoCs

resource	yara_rule
behavioral2/memory/3556-8-0x0000000008040000-0x000000000813A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM

Detects executables potentially checking for WinJail sandbox window 2 IoCs

resource	yara_rule
behavioral2/memory/3556-8-0x0000000008040000-0x000000000813A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Anti_WinJail
behavioral2/memory/3556-8-0x0000000008040000-0x000000000813A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste

Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/memory/2724-9-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/2724-9-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/2724-9-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/2724-9-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com
21	api.ipify.org
22	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3556 set thread context of 2724	3556	198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2724	CasPol.exe
2724	CasPol.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3556	198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe
Token: SeDebugPrivilege	2724	CasPol.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 2724	3556	198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe	85
PID 3556 wrote to memory of 2724	3556	198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe	85
PID 3556 wrote to memory of 2724	3556	198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe	85
PID 3556 wrote to memory of 2724	3556	198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe	85
PID 3556 wrote to memory of 2724	3556	198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe	85
PID 3556 wrote to memory of 2724	3556	198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe	85
PID 3556 wrote to memory of 2724	3556	198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe	85
PID 3556 wrote to memory of 2724	3556	198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe	85

C:\Users\Admin\AppData\Local\Temp\198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe
"C:\Users\Admin\AppData\Local\Temp\198ad08263da7ea050003bb7c98d9d4ec0951da98432f3ef2ed1f2cf208b8aab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2724-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-17-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/2724-16-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/2724-15-0x00000000066C0000-0x0000000006710000-memory.dmp

Filesize
320KB

Download
memory/2724-14-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/2724-13-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/2724-11-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/3556-4-0x0000000004990000-0x0000000004A22000-memory.dmp

Filesize
584KB

Download
memory/3556-8-0x0000000008040000-0x000000000813A000-memory.dmp

Filesize
1000KB

Download
memory/3556-7-0x0000000007FA0000-0x000000000803C000-memory.dmp

Filesize
624KB

Download
memory/3556-6-0x0000000004920000-0x000000000492A000-memory.dmp

Filesize
40KB

Download
memory/3556-12-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download
memory/3556-5-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/3556-0-0x0000000000010000-0x0000000000024000-memory.dmp

Filesize
80KB

Download
memory/3556-3-0x0000000004EA0000-0x0000000005444000-memory.dmp

Filesize
5.6MB

Download
memory/3556-2-0x0000000002260000-0x000000000227A000-memory.dmp

Filesize
104KB

Download
memory/3556-1-0x0000000074E60000-0x0000000075610000-memory.dmp

Filesize
7.7MB

Download