agenttesla | 62e74181295241e8e8b3ca0cff70a1f5044aa82aab8df781dbb22f56eccd32cd

Analysis

max time kernel
195s
max time network
169s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 13:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e.exe
Size

611KB
MD5

bb890594548df51e5957ca2445cd7fb8
SHA1

7aabf17acfff6e33ef68bbccea7b266a48205fff
SHA256

ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e
SHA512

feaa88044792da5886b7fb4cf7eb4d67ca7be07b2376ae0e5d980be69c873f52db45eef9ab1e4b97f6dc9c1d99350fbbc579462bad7cb5bed49cbdb9752cd022
SSDEEP

12288:4SMpPbU8sOUVVhUF+i1c/OGNX+jkniNzXNDu8Z2RjbY8rk45az:4/pPbrUVo+sGNXPiN8W25YqtE

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp8nl.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
7213575aceACE@#$
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 1 IoCs

pid	Process
1876	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2684	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1876 set thread context of 2540	1876	svchost.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2848	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1200	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2820	ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e.exe
2540	AddInProcess32.exe
2540	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e.exe
Token: SeDebugPrivilege	1876	svchost.exe
Token: SeDebugPrivilege	2540	AddInProcess32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 1240	2820	ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e.exe	27
PID 2820 wrote to memory of 1240	2820	ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e.exe	27
PID 2820 wrote to memory of 1240	2820	ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e.exe	27
PID 2820 wrote to memory of 2684	2820	ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e.exe	29
PID 2820 wrote to memory of 2684	2820	ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e.exe	29
PID 2820 wrote to memory of 2684	2820	ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e.exe	29
PID 1240 wrote to memory of 2848	1240	cmd.exe	31
PID 1240 wrote to memory of 2848	1240	cmd.exe	31
PID 1240 wrote to memory of 2848	1240	cmd.exe	31
PID 2684 wrote to memory of 1200	2684	cmd.exe	32
PID 2684 wrote to memory of 1200	2684	cmd.exe	32
PID 2684 wrote to memory of 1200	2684	cmd.exe	32
PID 2684 wrote to memory of 1876	2684	cmd.exe	33
PID 2684 wrote to memory of 1876	2684	cmd.exe	33
PID 2684 wrote to memory of 1876	2684	cmd.exe	33
PID 1876 wrote to memory of 2028	1876	svchost.exe	34
PID 1876 wrote to memory of 2028	1876	svchost.exe	34
PID 1876 wrote to memory of 2028	1876	svchost.exe	34
PID 1876 wrote to memory of 2028	1876	svchost.exe	34
PID 1876 wrote to memory of 2028	1876	svchost.exe	34
PID 1876 wrote to memory of 2028	1876	svchost.exe	34
PID 1876 wrote to memory of 2028	1876	svchost.exe	34
PID 1876 wrote to memory of 2028	1876	svchost.exe	34
PID 1876 wrote to memory of 2540	1876	svchost.exe	35
PID 1876 wrote to memory of 2540	1876	svchost.exe	35
PID 1876 wrote to memory of 2540	1876	svchost.exe	35
PID 1876 wrote to memory of 2540	1876	svchost.exe	35
PID 1876 wrote to memory of 2540	1876	svchost.exe	35
PID 1876 wrote to memory of 2540	1876	svchost.exe	35
PID 1876 wrote to memory of 2540	1876	svchost.exe	35
PID 1876 wrote to memory of 2540	1876	svchost.exe	35
PID 1876 wrote to memory of 2540	1876	svchost.exe	35
PID 1876 wrote to memory of 2340	1876	svchost.exe	36
PID 1876 wrote to memory of 2340	1876	svchost.exe	36
PID 1876 wrote to memory of 2340	1876	svchost.exe	36
PID 1876 wrote to memory of 2340	1876	svchost.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e.exe
"C:\Users\Admin\AppData\Local\Temp\ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2848
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE956.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1200
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:2028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE956.tmp.bat

Filesize
151B

MD5
850913584f26d4cab5637dcf50581eec

SHA1
fd9193183620d186ba336877dddf8f3ab2bdf0d2

SHA256
382416b357aab3c389edf502158254e7459135a015160773da8000ce74c1186b

SHA512
d506a61f97fa6426bbcfea9f88e89971af90bcfe9eba19d43b7ea8f077578e27f24fb0c982847c0d7a9e696ef0cbe3c3b4a60857e2a00d9fb66ae2a2789f03f3

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
611KB

MD5
bb890594548df51e5957ca2445cd7fb8

SHA1
7aabf17acfff6e33ef68bbccea7b266a48205fff

SHA256
ce021aaca1ac091165c6bd6d9b27d41c0994d308f39bce54a5d7e59ba76a421e

SHA512
feaa88044792da5886b7fb4cf7eb4d67ca7be07b2376ae0e5d980be69c873f52db45eef9ab1e4b97f6dc9c1d99350fbbc579462bad7cb5bed49cbdb9752cd022

Download Submit
memory/1876-30-0x00000000004D0000-0x0000000000550000-memory.dmp

Filesize
512KB

Download
memory/1876-41-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1876-21-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1876-20-0x00000000004D0000-0x0000000000550000-memory.dmp

Filesize
512KB

Download
memory/1876-19-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1876-18-0x00000000012E0000-0x00000000012EC000-memory.dmp

Filesize
48KB

Download
memory/2028-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-43-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-47-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2540-46-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2540-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-45-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-3-0x0000000001EF0000-0x0000000001F86000-memory.dmp

Filesize
600KB

Download
memory/2820-0-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/2820-1-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-13-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-2-0x000000001B300000-0x000000001B380000-memory.dmp

Filesize
512KB

Download