agenttesla | b555b98abe8eb8f9e9f240fdb22070df16680e8864a6d93549a8288f57bff5c7

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe
Size

852KB
MD5

15f196c8858b2d1475159aec13f4fb32
SHA1

2b11a170e73e552b1899911257e0414b81660e61
SHA256

2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8
SHA512

ab4d5f10202038712ca2e81fd78dbc89fe96b8a23e2bd442ad22b1d658b5520a8a63243966abbf30803cee7a6104f55dad10f63714db170cb07d4e01fa12fe7d
SSDEEP

24576:25hHMCcDBudIWS+FgLYrD5jxX7jaE1P1q:ahHXG8hS+FICLj8

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.unitechautomations.com
Port:
587
Username:
design@unitechautomations.com
Password:
Unitech@123
Email To:
overseas1@vestalshipping.com.vn

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUIVTme = "C:\\Users\\Admin\\AppData\\Roaming\\GUIVTme\\GUIVTme.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe

description	pid	process	target process
PID 1600 set thread context of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2572 schtasks.exe

pid	process
2572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exepowershell.exepowershell.exeRegSvcs.exe

pid	process
1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe
1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe
1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe
2672	powershell.exe
2912	powershell.exe
1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe
1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe
1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe
2532	RegSvcs.exe
2532	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2532	RegSvcs.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe

description	pid	process	target process
PID 1600 wrote to memory of 2672	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	powershell.exe
PID 1600 wrote to memory of 2672	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	powershell.exe
PID 1600 wrote to memory of 2672	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	powershell.exe
PID 1600 wrote to memory of 2672	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	powershell.exe
PID 1600 wrote to memory of 2912	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	powershell.exe
PID 1600 wrote to memory of 2912	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	powershell.exe
PID 1600 wrote to memory of 2912	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	powershell.exe
PID 1600 wrote to memory of 2912	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	powershell.exe
PID 1600 wrote to memory of 2572	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	schtasks.exe
PID 1600 wrote to memory of 2572	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	schtasks.exe
PID 1600 wrote to memory of 2572	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	schtasks.exe
PID 1600 wrote to memory of 2572	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	schtasks.exe
PID 1600 wrote to memory of 2464	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2464	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2464	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2464	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2464	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2464	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2464	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe
PID 1600 wrote to memory of 2532	1600	2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe
"C:\Users\Admin\AppData\Local\Temp\2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2cba66d97b8af051072417ad7267c9f56f8f74eca98a5e5bf5d7ddc894249ad8.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DwDrfAUza.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DwDrfAUza" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp"
2⤵
- Creates scheduled task(s)
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp
Filesize
1KB

MD5
466c181230b388427215011bd522ed04

SHA1
112f8c1b71c1eeecc5d4fe80c9c31e611c4234bf

SHA256
c3b81f3755a120aeff02758d55665ca52641922d69148769bb4e8980001a0729

SHA512
0a97e45252f538972c69d1c368ec48100e9c57fad8950d0d92c06ae76afb23e7ae55d8d93a76269629ad55b563a0043456038a2672e7ec0feb15bb45cba373f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KEUCIWJ7SUOYMKV4K2DL.temp
Filesize
7KB

MD5
f98fc02b971593d086d1300f77755cf9

SHA1
06b136d916a214efe08f371d8dab53b56f23e032

SHA256
2126d91520b80bfd34eaf2ed4172779ff43215f47890cac49b9d033f08786952

SHA512
d6946214be976f4c60e3079b676de6624ac1f690c2e54c9dec7f1f8fb4a5681ec879e04340db979269f67068aebb5bc2e0cf0a7ec9f7e21c79f2f6231d9c6857

Download Submit
memory/1600-32-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1600-0-0x0000000000050000-0x000000000012A000-memory.dmp

Filesize
872KB

Download
memory/1600-2-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/1600-3-0x0000000004720000-0x00000000047BE000-memory.dmp

Filesize
632KB

Download
memory/1600-4-0x0000000001E60000-0x0000000001E78000-memory.dmp

Filesize
96KB

Download
memory/1600-5-0x0000000001E90000-0x0000000001E9E000-memory.dmp

Filesize
56KB

Download
memory/1600-6-0x0000000001EA0000-0x0000000001EB4000-memory.dmp

Filesize
80KB

Download
memory/1600-7-0x0000000001D70000-0x0000000001DF4000-memory.dmp

Filesize
528KB

Download
memory/1600-40-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1600-1-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-41-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/2532-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2532-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2532-47-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-46-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/2532-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2532-29-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2532-42-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2532-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2532-35-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2532-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-20-0x000000006F360000-0x000000006F90B000-memory.dmp

Filesize
5.7MB

Download
memory/2672-23-0x0000000002CD0000-0x0000000002D10000-memory.dmp

Filesize
256KB

Download
memory/2672-44-0x000000006F360000-0x000000006F90B000-memory.dmp

Filesize
5.7MB

Download
memory/2672-30-0x000000006F360000-0x000000006F90B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-22-0x000000006F360000-0x000000006F90B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-26-0x000000006F360000-0x000000006F90B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-43-0x000000006F360000-0x000000006F90B000-memory.dmp

Filesize
5.7MB

Download
memory/2912-27-0x0000000002A80000-0x0000000002AC0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads