agenttesla | 0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f

Analysis

max time kernel
139s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/03/2024, 02:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
Size

1.3MB
MD5

fe11f252a14d3eda9a9fd40627a49b42
SHA1

6feb47b70a0028bcd8482b301dc1c2286ac1cda9
SHA256

0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f
SHA512

2fc3b6ef8686fe96abbbe2f7b98177d02060e992a69662a70e842b4ece89130d3dceadb0d79bd9b7002f90eb5cad04b16a5d01b595530b575ff1c3b405bd2d7e
SSDEEP

24576:+fVE9JOwLpXSel31n20ESW9AR3lL3VIGtdoXwEhBQgAGaCKJ1wSvXhJNE8x4Dd2z:+fVE9nLpXf1yCdK4B2a

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bezzleauto.com
Port:
587
Username:
[email protected]
Password:
|[NbQj>}o^#0
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Program Files (x86)\\CN23AEAHR00001S.exe,"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
2044	CN23AEAHR00001S.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	cmd.exe
2480	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\CN23AEAHR00001S.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\CN23AEAHR00001S.exe	cmd.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
2932	PING.EXE
2868	PING.EXE
2800	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
2044	CN23AEAHR00001S.exe
2044	CN23AEAHR00001S.exe
2044	CN23AEAHR00001S.exe
2044	CN23AEAHR00001S.exe
2044	CN23AEAHR00001S.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
Token: SeDebugPrivilege	2044	CN23AEAHR00001S.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2968	2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	28
PID 2860 wrote to memory of 2968	2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	28
PID 2860 wrote to memory of 2968	2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	28
PID 2860 wrote to memory of 2968	2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	28
PID 2968 wrote to memory of 2800	2968	cmd.exe	30
PID 2968 wrote to memory of 2800	2968	cmd.exe	30
PID 2968 wrote to memory of 2800	2968	cmd.exe	30
PID 2968 wrote to memory of 2800	2968	cmd.exe	30
PID 2860 wrote to memory of 2480	2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	31
PID 2860 wrote to memory of 2480	2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	31
PID 2860 wrote to memory of 2480	2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	31
PID 2860 wrote to memory of 2480	2860	0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe	31
PID 2480 wrote to memory of 2932	2480	cmd.exe	33
PID 2480 wrote to memory of 2932	2480	cmd.exe	33
PID 2480 wrote to memory of 2932	2480	cmd.exe	33
PID 2480 wrote to memory of 2932	2480	cmd.exe	33
PID 2968 wrote to memory of 2440	2968	cmd.exe	34
PID 2968 wrote to memory of 2440	2968	cmd.exe	34
PID 2968 wrote to memory of 2440	2968	cmd.exe	34
PID 2968 wrote to memory of 2440	2968	cmd.exe	34
PID 2480 wrote to memory of 2868	2480	cmd.exe	37
PID 2480 wrote to memory of 2868	2480	cmd.exe	37
PID 2480 wrote to memory of 2868	2480	cmd.exe	37
PID 2480 wrote to memory of 2868	2480	cmd.exe	37
PID 2480 wrote to memory of 2044	2480	cmd.exe	38
PID 2480 wrote to memory of 2044	2480	cmd.exe	38
PID 2480 wrote to memory of 2044	2480	cmd.exe	38
PID 2480 wrote to memory of 2044	2480	cmd.exe	38
PID 2044 wrote to memory of 2780	2044	CN23AEAHR00001S.exe	39
PID 2044 wrote to memory of 2780	2044	CN23AEAHR00001S.exe	39
PID 2044 wrote to memory of 2780	2044	CN23AEAHR00001S.exe	39
PID 2044 wrote to memory of 2780	2044	CN23AEAHR00001S.exe	39
PID 2044 wrote to memory of 2780	2044	CN23AEAHR00001S.exe	39
PID 2044 wrote to memory of 2780	2044	CN23AEAHR00001S.exe	39
PID 2044 wrote to memory of 2780	2044	CN23AEAHR00001S.exe	39
PID 2044 wrote to memory of 2780	2044	CN23AEAHR00001S.exe	39
PID 2044 wrote to memory of 2780	2044	CN23AEAHR00001S.exe	39
PID 2044 wrote to memory of 2780	2044	CN23AEAHR00001S.exe	39
PID 2044 wrote to memory of 2780	2044	CN23AEAHR00001S.exe	39
PID 2044 wrote to memory of 2780	2044	CN23AEAHR00001S.exe	39
PID 2044 wrote to memory of 2268	2044	CN23AEAHR00001S.exe	40
PID 2044 wrote to memory of 2268	2044	CN23AEAHR00001S.exe	40
PID 2044 wrote to memory of 2268	2044	CN23AEAHR00001S.exe	40
PID 2044 wrote to memory of 2268	2044	CN23AEAHR00001S.exe	40
PID 2044 wrote to memory of 2268	2044	CN23AEAHR00001S.exe	40
PID 2044 wrote to memory of 2268	2044	CN23AEAHR00001S.exe	40
PID 2044 wrote to memory of 2268	2044	CN23AEAHR00001S.exe	40
PID 2044 wrote to memory of 2268	2044	CN23AEAHR00001S.exe	40
PID 2044 wrote to memory of 2268	2044	CN23AEAHR00001S.exe	40
PID 2044 wrote to memory of 2268	2044	CN23AEAHR00001S.exe	40
PID 2044 wrote to memory of 2268	2044	CN23AEAHR00001S.exe	40
PID 2044 wrote to memory of 2268	2044	CN23AEAHR00001S.exe	40

C:\Users\Admin\AppData\Local\Temp\0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe
"C:\Users\Admin\AppData\Local\Temp\0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 39 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Program Files (x86)\CN23AEAHR00001S.exe,"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 39
    3⤵
    - Runs ping.exe
    PID:2800
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Program Files (x86)\CN23AEAHR00001S.exe,"
    3⤵
    - Modifies WinLogon for persistence
    PID:2440
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 37 > nul && copy "C:\Users\Admin\AppData\Local\Temp\0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f.exe" "C:\Program Files (x86)\CN23AEAHR00001S.exe" && ping 127.0.0.1 -n 37 > nul && "C:\Program Files (x86)\CN23AEAHR00001S.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 37
    3⤵
    - Runs ping.exe
    PID:2932
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 37
    3⤵
    - Runs ping.exe
    PID:2868
- - C:\Program Files (x86)\CN23AEAHR00001S.exe
    "C:\Program Files (x86)\CN23AEAHR00001S.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2780
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CN23AEAHR00001S.exe

Filesize
31KB

MD5
995caa446f944a73485ef9bb259818b7

SHA1
86d217545bd166fb2eda3bd53247cbd1608b0e8a

SHA256
0f3598d49402a30311f9b242c54db0975bf3e5ae7853491d3f1a14a813e975dc

SHA512
f1fef354cf4aaf42e260ed711b7bfe38a64fdfc5d4b77c78490f91fdccdbb1cf5246b4f7efcde334009af7f9d5d423a3ba736775ebf007c3bef014f2fc01a5f0

Download Submit
C:\Program Files (x86)\CN23AEAHR00001S.exe

Filesize
1.3MB

MD5
fe11f252a14d3eda9a9fd40627a49b42

SHA1
6feb47b70a0028bcd8482b301dc1c2286ac1cda9

SHA256
0cf03463ef356a3efd6df247333143b40dfdc4dd50888ac388743ea817e3b88f

SHA512
2fc3b6ef8686fe96abbbe2f7b98177d02060e992a69662a70e842b4ece89130d3dceadb0d79bd9b7002f90eb5cad04b16a5d01b595530b575ff1c3b405bd2d7e

Download Submit
C:\Program Files (x86)\CN23AEAHR00001S.exe

Filesize
2KB

MD5
ec5e82287aa3c7af4640e41bbe8c4e74

SHA1
da4aa6c819d7e382dffb1b63fd49afc0acc4909e

SHA256
9d0df71613830814ff9dd83eaa9e0e4880796937efe1f8315e62a33ec17e9c54

SHA512
34fba34c6da5ad92410d373155b32048ec40eeecdef96fb4f0c5f9a50956f0411a6059c884e1691ea4471c8fcf04098fe82323d4db4d75ef169f1a9596228bb6

Download Submit
\Program Files (x86)\CN23AEAHR00001S.exe

Filesize
639KB

MD5
4b5c44e3629f5b5ed60b9a76eb6ac4fb

SHA1
e1926e2865cac46b72dafbcfeb0c159c168ef3de

SHA256
8a666701763b3133aba95c1097610fc5d2cbeef6855ac9bb9a140ea8687656a4

SHA512
ed8279f627f903100a8f2a8b0a66e8c74f196696d0af4208e5ce0de9b84a95dd6f09943472b471e9bd102b83ffc0a33f89c0b98d34a33414bb0a0c58060bba25

Download Submit
\Program Files (x86)\CN23AEAHR00001S.exe

Filesize
1.2MB

MD5
70ccc3de11817b7da3fede61dfa3e4cc

SHA1
7dfafadcda0e2ec60e80f289f51ca7e10c8cce6b

SHA256
7d510319ff743d1f587724f7a91ae1036afba9fe27a9e66230ec84c0cfbf268a

SHA512
358bbb8d55e7ecd789b6c5d34b2dcc041090333e84c0d743805534c243808305643235326a2e23977a830ae3e23dc8997027360c7e149bab4007bedccfe0fd3a

Download Submit
memory/2044-23-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/2044-22-0x0000000000480000-0x000000000049A000-memory.dmp

Filesize
104KB

Download
memory/2044-17-0x0000000000C20000-0x0000000000D6A000-memory.dmp

Filesize
1.3MB

Download
memory/2044-18-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2044-19-0x0000000004760000-0x00000000047A0000-memory.dmp

Filesize
256KB

Download
memory/2044-20-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2044-21-0x0000000004760000-0x00000000047A0000-memory.dmp

Filesize
256KB

Download
memory/2780-27-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2780-28-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2780-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2780-26-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2780-24-0x0000000000090000-0x00000000000D0000-memory.dmp

Filesize
256KB

Download
memory/2860-2-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/2860-1-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2860-0-0x0000000000080000-0x00000000001CA000-memory.dmp

Filesize
1.3MB

Download
memory/2860-6-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2860-3-0x0000000004490000-0x00000000044D4000-memory.dmp

Filesize
272KB

Download
memory/2860-4-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2860-5-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download