agenttesla | b555b98abe8eb8f9e9f240fdb22070df16680e8864a6d93549a8288f57bff5c7

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CAHKHCM2404009CFS.exe
Size

852KB
MD5

15f196c8858b2d1475159aec13f4fb32
SHA1

2b11a170e73e552b1899911257e0414b81660e61
SHA256

2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8
SHA512

ab4d5f10202038712ca2e81fd78dbc89fe96b8a23e2bd442ad22b1d658b5520a8a63243966abbf30803cee7a6104f55dad10f63714db170cb07d4e01fa12fe7d
SSDEEP

24576:25hHMCcDBudIWS+FgLYrD5jxX7jaE1P1q:ahHXG8hS+FICLj8

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.unitechautomations.com
Port:
587
Username:
[email protected]
Password:
Unitech@123
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUIVTme = "C:\\Users\\Admin\\AppData\\Roaming\\GUIVTme\\GUIVTme.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

CAHKHCM2404009CFS.exe

description pid process target process

PID 2008 set thread context of 2380 2008 CAHKHCM2404009CFS.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2288 schtasks.exe

description	pid	process	target process
PID 2008 set thread context of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe

pid	process
2288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

CAHKHCM2404009CFS.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
2008	CAHKHCM2404009CFS.exe
2008	CAHKHCM2404009CFS.exe
2008	CAHKHCM2404009CFS.exe
2488	powershell.exe
2496	powershell.exe
2008	CAHKHCM2404009CFS.exe
2008	CAHKHCM2404009CFS.exe
2380	RegSvcs.exe
2380	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

CAHKHCM2404009CFS.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2008	CAHKHCM2404009CFS.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2380	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

CAHKHCM2404009CFS.exe

description	pid	process	target process
PID 2008 wrote to memory of 2488	2008	CAHKHCM2404009CFS.exe	powershell.exe
PID 2008 wrote to memory of 2488	2008	CAHKHCM2404009CFS.exe	powershell.exe
PID 2008 wrote to memory of 2488	2008	CAHKHCM2404009CFS.exe	powershell.exe
PID 2008 wrote to memory of 2488	2008	CAHKHCM2404009CFS.exe	powershell.exe
PID 2008 wrote to memory of 2496	2008	CAHKHCM2404009CFS.exe	powershell.exe
PID 2008 wrote to memory of 2496	2008	CAHKHCM2404009CFS.exe	powershell.exe
PID 2008 wrote to memory of 2496	2008	CAHKHCM2404009CFS.exe	powershell.exe
PID 2008 wrote to memory of 2496	2008	CAHKHCM2404009CFS.exe	powershell.exe
PID 2008 wrote to memory of 2288	2008	CAHKHCM2404009CFS.exe	schtasks.exe
PID 2008 wrote to memory of 2288	2008	CAHKHCM2404009CFS.exe	schtasks.exe
PID 2008 wrote to memory of 2288	2008	CAHKHCM2404009CFS.exe	schtasks.exe
PID 2008 wrote to memory of 2288	2008	CAHKHCM2404009CFS.exe	schtasks.exe
PID 2008 wrote to memory of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe
PID 2008 wrote to memory of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe
PID 2008 wrote to memory of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe
PID 2008 wrote to memory of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe
PID 2008 wrote to memory of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe
PID 2008 wrote to memory of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe
PID 2008 wrote to memory of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe
PID 2008 wrote to memory of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe
PID 2008 wrote to memory of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe
PID 2008 wrote to memory of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe
PID 2008 wrote to memory of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe
PID 2008 wrote to memory of 2380	2008	CAHKHCM2404009CFS.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\CAHKHCM2404009CFS.exe
"C:\Users\Admin\AppData\Local\Temp\CAHKHCM2404009CFS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CAHKHCM2404009CFS.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DwDrfAUza.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DwDrfAUza" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D53.tmp"
2⤵
- Creates scheduled task(s)
PID:2288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6D53.tmp
Filesize
1KB

MD5
7ed26c29cd7c1bf5a106d5179efebd80

SHA1
08fe368e5ad422e2b2e460d872dd64982be1ef39

SHA256
1ce854769d8e1af89adefdeba1055b97864f604f077792e03cba7ddd59e0d6c9

SHA512
4ca40f566dc417b32366e481c3d6eb0a8e0b71110ad1d37d4a0f655a79b0364c7b0e0ac56d1fc8bf395edcdd6e7fc5e0f86546b60f45d6276bd41cd8a3ced341

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VK0KYP8BONN53T92CHV6.temp
Filesize
7KB

MD5
86636235616d323e75404c78f2927b3a

SHA1
fe1e40cce844af3558f5adf80a90100fea7c03cd

SHA256
7c10a6c003b5a5c20a4369ea43ed4b71e9005cfeba0d52765f43b2ab716463b0

SHA512
f7b387c5fac7de7cb4f34728ac19ede7bebf7c99f45f8a08f50341fc6bce102a244720a9e3c6b49391fec58f64e455fd3e99d6aa1d6ee7ef2fc3a8c49091da9e

Download Submit
memory/2008-0-0x0000000000EA0000-0x0000000000F7A000-memory.dmp

Filesize
872KB

Download
memory/2008-1-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2008-2-0x0000000000AB0000-0x0000000000AF0000-memory.dmp

Filesize
256KB

Download
memory/2008-3-0x0000000000D70000-0x0000000000E0E000-memory.dmp

Filesize
632KB

Download
memory/2008-4-0x0000000000530000-0x0000000000548000-memory.dmp

Filesize
96KB

Download
memory/2008-5-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/2008-6-0x0000000000A30000-0x0000000000A44000-memory.dmp

Filesize
80KB

Download
memory/2008-7-0x0000000005A60000-0x0000000005AE4000-memory.dmp

Filesize
528KB

Download
memory/2008-40-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2380-44-0x00000000010D0000-0x0000000001110000-memory.dmp

Filesize
256KB

Download
memory/2380-49-0x00000000010D0000-0x0000000001110000-memory.dmp

Filesize
256KB

Download
memory/2380-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2380-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2380-48-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2380-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2380-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2380-43-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-36-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2380-42-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-41-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/2488-37-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2488-45-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2488-21-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2496-20-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2496-38-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2496-35-0x0000000002F00000-0x0000000002F40000-memory.dmp

Filesize
256KB

Download
memory/2496-46-0x000000006E910000-0x000000006EEBB000-memory.dmp

Filesize
5.7MB

Download
memory/2496-22-0x0000000002F00000-0x0000000002F40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads