agenttesla | da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rInquiry.exe
Size

602KB
MD5

cdef16a2a2116cd907aa817b11217cfd
SHA1

d23ba1f017c0e65ba65203c889a2bea963d63d3a
SHA256

da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6
SHA512

9ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae
SSDEEP

12288:lYyGYZS6ESbpYa4i2BzmVNhsBQN/nRTOPihFr3iUR42q6N:IUDESbwylT/nRKWrPN

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
terminal4.veeblehosting.com
Port:
587
Username:
[email protected]
Password:
Ifeanyi1987@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2104 svchost.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exeWerFault.exe

pid process

2860 cmd.exe
2476 WerFault.exe
2476 WerFault.exe
2476 WerFault.exe
2476 WerFault.exe
2476 WerFault.exe

pid	process
2104	svchost.exe

pid	process
2860	cmd.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe
2476	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rInquiry.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	rInquiry.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2104 set thread context of 2388 2104 svchost.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2628 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2560 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

rInquiry.exeAddInProcess32.exe

pid process

2648 rInquiry.exe
2648 rInquiry.exe
2648 rInquiry.exe
2388 AddInProcess32.exe
2388 AddInProcess32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rInquiry.exesvchost.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 2648 rInquiry.exe
Token: SeDebugPrivilege 2104 svchost.exe
Token: SeDebugPrivilege 2388 AddInProcess32.exe

flow	ioc
4	ip-api.com

description	pid	process	target process
PID 2104 set thread context of 2388	2104	svchost.exe	AddInProcess32.exe

pid	process
2628	schtasks.exe

pid	process
2560	timeout.exe

pid	process
2648	rInquiry.exe
2648	rInquiry.exe
2648	rInquiry.exe
2388	AddInProcess32.exe
2388	AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	2648	rInquiry.exe
Token: SeDebugPrivilege	2104	svchost.exe
Token: SeDebugPrivilege	2388	AddInProcess32.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

rInquiry.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 2648 wrote to memory of 2688	2648	rInquiry.exe	cmd.exe
PID 2648 wrote to memory of 2688	2648	rInquiry.exe	cmd.exe
PID 2648 wrote to memory of 2688	2648	rInquiry.exe	cmd.exe
PID 2648 wrote to memory of 2860	2648	rInquiry.exe	cmd.exe
PID 2648 wrote to memory of 2860	2648	rInquiry.exe	cmd.exe
PID 2648 wrote to memory of 2860	2648	rInquiry.exe	cmd.exe
PID 2688 wrote to memory of 2628	2688	cmd.exe	schtasks.exe
PID 2688 wrote to memory of 2628	2688	cmd.exe	schtasks.exe
PID 2688 wrote to memory of 2628	2688	cmd.exe	schtasks.exe
PID 2860 wrote to memory of 2560	2860	cmd.exe	timeout.exe
PID 2860 wrote to memory of 2560	2860	cmd.exe	timeout.exe
PID 2860 wrote to memory of 2560	2860	cmd.exe	timeout.exe
PID 2860 wrote to memory of 2104	2860	cmd.exe	svchost.exe
PID 2860 wrote to memory of 2104	2860	cmd.exe	svchost.exe
PID 2860 wrote to memory of 2104	2860	cmd.exe	svchost.exe
PID 2104 wrote to memory of 2388	2104	svchost.exe	AddInProcess32.exe
PID 2104 wrote to memory of 2388	2104	svchost.exe	AddInProcess32.exe
PID 2104 wrote to memory of 2388	2104	svchost.exe	AddInProcess32.exe
PID 2104 wrote to memory of 2388	2104	svchost.exe	AddInProcess32.exe
PID 2104 wrote to memory of 2388	2104	svchost.exe	AddInProcess32.exe
PID 2104 wrote to memory of 2388	2104	svchost.exe	AddInProcess32.exe
PID 2104 wrote to memory of 2388	2104	svchost.exe	AddInProcess32.exe
PID 2104 wrote to memory of 2388	2104	svchost.exe	AddInProcess32.exe
PID 2104 wrote to memory of 2388	2104	svchost.exe	AddInProcess32.exe
PID 2104 wrote to memory of 2476	2104	svchost.exe	WerFault.exe
PID 2104 wrote to memory of 2476	2104	svchost.exe	WerFault.exe
PID 2104 wrote to memory of 2476	2104	svchost.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\rInquiry.exe
"C:\Users\Admin\AppData\Local\Temp\rInquiry.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA035.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2560

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2104 -s 716
4⤵
- Loads dropped DLL
PID:2476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA035.tmp.bat
Filesize
151B

MD5
b328cb1a708abd4e62460de0f2fe2a43

SHA1
d8db2f72b13fea3ba3ee8a515752bb4342cab714

SHA256
80c44f5a07ddc916a886b653b0fd49d957235204a8b4921a2965fa3698d4b050

SHA512
7989747101a6f393e9fc4d139244180c3fe538a328cc8f0c855e5c8ed79212484c20f39bfc1a0c45d8440d12bba12626fdc5853c3b163d5eba08f84250554680

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
166KB

MD5
243c38b5243444b13e12bf19105b0704

SHA1
5f5620901df29375a41b1109e3d051f03fee39ee

SHA256
85562d2e0699843de3ba0c059c8d5c97886484ac532bfea2f7b8da37e0a1a186

SHA512
0cc293c16594457319c7abb23469258714237a17d89d5e3d293dc2cfdad7f50d4c348d997421c97c2e8517cfea59c4c7c09d6fe998499aba2be002b61780f337

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
129KB

MD5
8efc85ba9f1710d4956c76a472813a83

SHA1
571250d6779d10e870d3d4923f0b90c46467700d

SHA256
aac242264a552500b02eba11ed880f99f843f976c7770fcfc773030cc25f5da0

SHA512
d447a3c3ea53396427a7718e5ba736961f1203659e462a7643ecd1c4c0e31bd5515ce5cc904acdfde48d50fba062ae6241696c778d5d853d0fa4b851d120ca79

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
210KB

MD5
1a829a898785d5b43ef12ffb74f2e8ab

SHA1
6743250ef50732806b8ee02bfcb47c659771af93

SHA256
116df9b93e8a0309cbf89fc1a3154daf6b69b3a7f63b665d2665996f883da4e4

SHA512
370d3392a0707e90793b8863dba615c893bc634a2ea4d620c3a9b465cc92f607258382c5a36272545d8363cb6c8679f9b935aad31eb1c7a54537686a3bb3b111

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
43KB

MD5
d80d59f3a4fba8ff131d18a862a8f53e

SHA1
a5dba2d03cb61b70f099e74dec056f5eb5341032

SHA256
9aaa6e3ef7dce7c443d1d6ac938a8bd64687efff63bbda34c131881700a0c3cd

SHA512
09047dc97f53bf864de8868fea0adb2e4762d29e4bb5bc612ff7d979543e8251a587cd4a3571437a8656bff24131a8795e1a749dad91083658feb6c517cc5622

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
24KB

MD5
6a2999d2bfcd05c08f4740ec549ea184

SHA1
fa1f0bbca2d7b20b8300d1deb827d277addcae08

SHA256
3a412138af3e4c441bcf84b9f60fdaffe3e3ab0af1b1d1962113871cc1e882d3

SHA512
d642dbd5c93daceb2b279b3670fea3cd6a8f61e5cdaddaf44242ec37042ba0ce3d3dddc62f18ba05c0b2499089e3cb4df3f3152b61ea74b5e644dee5f1627bdb

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
21KB

MD5
c00c4e39b1e48279fdf778a249975d5c

SHA1
bad8c79d4a4323c6c9f8a6ac8a05ea3600846ddf

SHA256
dd1f66698caef1bd6c457eea525a1420d011b3bf8e9e16d9a26a0a21fc1c5b02

SHA512
652dfae4d9aeeb678dbe847a98cf5d127fbe152f3c0283d7e59b409a97f4dbb96a8929839c716edb563b3854364da5bb7b9eb547c0c5fa5abb6ada1b19ce21f8

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
58KB

MD5
1280ddb0a9e080c32c25a69905fddf03

SHA1
693273c5e7c0af9531627e2fce47fe7ac286fd54

SHA256
73e416856ab5d0fc18fddbbc249dd55b3557db6b67e33d85e789723997f845fd

SHA512
44a9b65181d580283329300953a6fe0c6d4ef88e692fb7b624e3545f50e03a2810291cc87e2d33ffe263a7d606ddab385a83679b3b1a2c50435260547b8ce71e

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
287KB

MD5
62d13cc3cb768257f2f3ac94d9251701

SHA1
f12b0f074c5ac15ecd1885793a2816603a4465e0

SHA256
a05f7292d5b3a9521cdb618636ee48a0f7a3e377cad793c8aff400deafa92fa9

SHA512
7bf1d4635f8611a9b11e95b210c3b9476ed7b81b19685688f6704ae4ed4756bd28f4460e457b45e48431662f6b206fcb91a0aeae4eb0fd8770cefd684fb22948

Download Submit
memory/2104-18-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/2104-19-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-20-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/2104-39-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-40-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/2388-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-42-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2388-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2388-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2388-41-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-36-0x0000000074610000-0x0000000074CFE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-38-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/2648-3-0x0000000000E70000-0x0000000000F06000-memory.dmp

Filesize
600KB

Download
memory/2648-2-0x000000001B420000-0x000000001B4A0000-memory.dmp

Filesize
512KB

Download
memory/2648-1-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2648-0-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/2648-13-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download