agenttesla | 5dcfac410a8ac5371ec25cbf19002209f1d52c7429ea992e2efd965ff55d4fa9

Resubmissions

23/02/2024, 03:45

240223-ea6qpsaf9t 10

23/02/2024, 02:03

240223-cg4htahg5x 10

Analysis

max time kernel
143s
max time network
100s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/02/2024, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b.exe
Size

1.1MB
MD5

43e749d37e86bded763f7fb1b7b3cb06
SHA1

8979cf333b073a45cb5a7ce9444652b7f7b273ba
SHA256

039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b
SHA512

97ade5e78a31cfafb5173183f8420c6fc248ebf260e200b49cb6e7d7f3f7e30c53dc6c10a71ff4cdd022533856eda65081cf844da54b7064c2dcd60f7b95f6b0
SSDEEP

24576:IRmJkcoQricOIQxiZY1iaqjy+ZdZ84VeVhqHWm6HTVYBJ0:tJZoQrbTFZY1iaqjbZX84OhqHXI1

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
2696	name.exe

Loads dropped DLL 1 IoCs

pid	Process
2768	039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral13/files/0x0037000000016270-12.dat	autoit_exe
behavioral13/files/0x0037000000016270-15.dat	autoit_exe
behavioral13/files/0x0037000000016270-16.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2696 set thread context of 2996	2696	name.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2996	svchost.exe
2996	svchost.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2696	name.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2696	2768	039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b.exe	28
PID 2768 wrote to memory of 2696	2768	039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b.exe	28
PID 2768 wrote to memory of 2696	2768	039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b.exe	28
PID 2768 wrote to memory of 2696	2768	039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b.exe	28
PID 2696 wrote to memory of 2996	2696	name.exe	29
PID 2696 wrote to memory of 2996	2696	name.exe	29
PID 2696 wrote to memory of 2996	2696	name.exe	29
PID 2696 wrote to memory of 2996	2696	name.exe	29
PID 2696 wrote to memory of 2996	2696	name.exe	29

C:\Users\Admin\AppData\Local\Temp\039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b.exe
"C:\Users\Admin\AppData\Local\Temp\039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\039cf1e827f8a2bcf066d1b64e92b333a5973fe9ada6c0f6a6bef4020925355b.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\carryover

Filesize
323KB

MD5
1e51f73284ee171e5ed56048217b2aba

SHA1
9d1ff562ee014c9140d71178e676cb2030771f07

SHA256
49ab602b0c3d286ecb7987532fb96d57355637edd5ce51f1b995c1612f3e9624

SHA512
6a33a0d67dfb1288a832357a859af840a555e614d1fb5dc628e142c50546173ec9443d47321b0e833c7f34c911d6a11dd7c592d157632bfcc4cc994e3dc09300

Download Submit
C:\Users\Admin\AppData\Local\Temp\gammy

Filesize
29KB

MD5
eba69707a20d9fab32d26e61e41de75b

SHA1
246aabc8c92c9598cfe7d6877d3c17a1a9521624

SHA256
580a9f2c932b71c9f0bd8cf20068dea233017a36c1783fa37f94f510be671ba6

SHA512
221eda72b16e5c0bbcfa359a0b37d259e39d23e090f18a7d72726d88a662be1afa38b12a6d9016e399c414454bdf0ed2345b890f829d24845e01931402256e60

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
11.6MB

MD5
972cd051080d569f70a83cdf52904f56

SHA1
ad6fd6a03223669936043849d88482d808f11eec

SHA256
bb884827fac6f40ae4a92f1b5873d4d0019688aeeab731a37fd2147ac590e8ae

SHA512
3d6b93bbe86c0d22d80a703450bb3894d4a4d53836a848f3f231c40fddc0142e9867e41e62b190673d661da9da0b0a848b994e9939ab8348f5bc549040e331cd

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
14.2MB

MD5
505b0daa5fe7ff8cdd935657076595e0

SHA1
36b980fa6aa6ea2aed5a420e034b1c4b66a9f42e

SHA256
ec0d703ab999293be95da0270c9318ea9f01a26faa9ca82e8a3ecef141d3bc4d

SHA512
5c7fc9078458f5a017ba7bdc7d95087e45b1dcc0dce4763c97b955e5a18ae797e28ec560e410e4e50dff561e6c9c7fe291bb3afd7e4d74d84adda7d0e2c2755a

Download Submit
\Users\Admin\AppData\Local\directory\name.exe

Filesize
7.4MB

MD5
b19d6795d5ba458827b8477e4e42f735

SHA1
2ab63605d6aea6ec18596e8996f18bbc760596e2

SHA256
f1052829e0094de00d99f7fe4cbf6df5608f06186bf73bab17ebf0ca0ce0338d

SHA512
87c5e93828631e741db902ce02b81881b4787c0eaa5f424656dc0447f6f6eb290fb281c26f4ec5530a57e0d108fa0e1f2e0723a1b944b502f01922a0de79383d

Download Submit
memory/2768-10-0x00000000003F0000-0x00000000003F4000-memory.dmp

Filesize
16KB

Download
memory/2996-35-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2996-39-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2996-33-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2996-34-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-30-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2996-36-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/2996-37-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2996-32-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2996-38-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2996-40-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2996-41-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2996-42-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2996-43-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2996-44-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2996-45-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download