agenttesla | c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242

Analysis

max time kernel
151s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 01:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
Size

696KB
MD5

9c84d70768c3af6334b2b104f9ab06c7
SHA1

0379c8682b3df052dc8edb6e5513900fda5fae83
SHA256

c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242
SHA512

02f06b97ede0e4c799caa4eb792f99eac770e2c906a00688443b5cf5b2b7407184a27ac1d519f2065d3ea1e0c924540f4d329567811220ad6d1e66a98e9a73b7
SSDEEP

12288:1mDbZrwZ1AcMB2Dses+MweXSshUOlAlTet8O36Pwa2iN:aZTcM93+Yi6kTe6Z31

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.aficofilters.com.eg
Port:
587
Username:
[email protected]
Password:
mhds@852
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
2624	powershell.exe
2684	powershell.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2624	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	28
PID 1784 wrote to memory of 2624	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	28
PID 1784 wrote to memory of 2624	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	28
PID 1784 wrote to memory of 2624	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	28
PID 1784 wrote to memory of 2684	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	30
PID 1784 wrote to memory of 2684	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	30
PID 1784 wrote to memory of 2684	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	30
PID 1784 wrote to memory of 2684	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	30
PID 1784 wrote to memory of 2544	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	32
PID 1784 wrote to memory of 2544	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	32
PID 1784 wrote to memory of 2544	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	32
PID 1784 wrote to memory of 2544	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	32
PID 1784 wrote to memory of 2412	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	34
PID 1784 wrote to memory of 2412	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	34
PID 1784 wrote to memory of 2412	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	34
PID 1784 wrote to memory of 2412	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	34
PID 1784 wrote to memory of 2412	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	34
PID 1784 wrote to memory of 2412	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	34
PID 1784 wrote to memory of 2412	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	34
PID 1784 wrote to memory of 2412	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	34
PID 1784 wrote to memory of 2412	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	34
PID 1784 wrote to memory of 2412	1784	c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe	34

C:\Users\Admin\AppData\Local\Temp\c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe
"C:\Users\Admin\AppData\Local\Temp\c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c1cd4760729c2297023acb0fa90f5745086282c2cb53ada37ecba4384fa57242.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tGSEPDWGlluup.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tGSEPDWGlluup" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9C01.tmp

Filesize
1KB

MD5
d237ea6c6ee8528277b8745e652ee6b1

SHA1
1a1bafbe1f484625006b2810c8d4276bb79dad21

SHA256
47a700d9d33511704abc2975a23a0c7be5b849f52d8d37216f7dade0038de818

SHA512
8c1e07b5952edf57a004d103611604bc8e00f8959441ddbab744158ed002074e7fd656dbca9983f46e6e3c588bdd863ea6c4c0061de03787f89b5d49dfa5925c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ARR8PPK4C2AFEVDJSR5Q.temp

Filesize
7KB

MD5
29a16378d69b55b4c5873890583d5884

SHA1
5cda800be5cd0b7eeb3c6120e5abebc854d342a1

SHA256
ce22f78d8e6fefd04c37acf877d049d0a143fff3ed94a13ce5e969ba9085e450

SHA512
d3fa25021ce49592a9795a8e566d995ba301151531ce109d0b5a93fbfd42cd1e8ab1dfc69de64749856db736eb2729732b57466b366619d292b91bb800d07b9e

Download Submit
memory/1784-0-0x0000000000210000-0x00000000002C0000-memory.dmp

Filesize
704KB

Download
memory/1784-1-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/1784-2-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/1784-3-0x0000000000640000-0x0000000000654000-memory.dmp

Filesize
80KB

Download
memory/1784-4-0x0000000001DD0000-0x0000000001DDA000-memory.dmp

Filesize
40KB

Download
memory/1784-5-0x0000000001DE0000-0x0000000001DEE000-memory.dmp

Filesize
56KB

Download
memory/1784-6-0x0000000004C80000-0x0000000004D02000-memory.dmp

Filesize
520KB

Download
memory/1784-39-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/1784-38-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/2412-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2624-35-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2624-31-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2624-26-0x000000006EB50000-0x000000006F0FB000-memory.dmp

Filesize
5.7MB

Download
memory/2624-37-0x000000006EB50000-0x000000006F0FB000-memory.dmp

Filesize
5.7MB

Download
memory/2624-19-0x000000006EB50000-0x000000006F0FB000-memory.dmp

Filesize
5.7MB

Download
memory/2684-29-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2684-33-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2684-23-0x0000000002710000-0x0000000002750000-memory.dmp

Filesize
256KB

Download
memory/2684-28-0x000000006EB50000-0x000000006F0FB000-memory.dmp

Filesize
5.7MB

Download
memory/2684-36-0x000000006EB50000-0x000000006F0FB000-memory.dmp

Filesize
5.7MB

Download
memory/2684-21-0x000000006EB50000-0x000000006F0FB000-memory.dmp

Filesize
5.7MB

Download