agenttesla | 274d1736557ec814867b7b474604e946272c7cda33bac17becc15c1a7d4ca493

Analysis

max time kernel
73s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 08:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolarisBETA/Solaris.exe
Size

143KB
MD5

f8cc2b58cec9e31bf803fae2e4f46bfa
SHA1

b2ffd2d4288b141e35e732f85e4949b4ed7b4820
SHA256

365dc0f2d75a3468ba97b0e4f262b34b3e42c0f8085c0cf6c4745abd1cab2b75
SHA512

d243e216bde8a8265b21923a1268de8b7665cbc6b547edcfc96b3d5883475980d9a870c6c9e3de523bd42dd8815648a43c739157cad3aa3f205555252e6e72a9
SSDEEP

3072:ErHyYbtwcPYv4DlyzCk/2WlguRdLDhwHeL7nxZUvXvtaIA2XP7XXADPG:ErHRbtwcPYv4DlyzCk/zguRvL7xwcIA7

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/1908-2-0x0000010CE1330000-0x0000010CE1544000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	Solaris.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Solaris.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Solaris.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Solaris.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2024	CefSharp.BrowserSubprocess.exe
2024	CefSharp.BrowserSubprocess.exe
2300	CefSharp.BrowserSubprocess.exe
2300	CefSharp.BrowserSubprocess.exe
3652	CefSharp.BrowserSubprocess.exe
3652	CefSharp.BrowserSubprocess.exe
4436	CefSharp.BrowserSubprocess.exe
4436	CefSharp.BrowserSubprocess.exe
536	CefSharp.BrowserSubprocess.exe
536	CefSharp.BrowserSubprocess.exe
4048	CefSharp.BrowserSubprocess.exe
4048	CefSharp.BrowserSubprocess.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	Solaris.exe
Token: SeDebugPrivilege	2024	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	2300	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	3652	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	4436	CefSharp.BrowserSubprocess.exe
Token: SeDebugPrivilege	536	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeDebugPrivilege	4048	CefSharp.BrowserSubprocess.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe
Token: SeCreatePagefilePrivilege	1908	Solaris.exe
Token: SeShutdownPrivilege	1908	Solaris.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2024	1908	Solaris.exe	87
PID 1908 wrote to memory of 2024	1908	Solaris.exe	87
PID 1908 wrote to memory of 4436	1908	Solaris.exe	88
PID 1908 wrote to memory of 4436	1908	Solaris.exe	88
PID 1908 wrote to memory of 2300	1908	Solaris.exe	89
PID 1908 wrote to memory of 2300	1908	Solaris.exe	89
PID 1908 wrote to memory of 536	1908	Solaris.exe	90
PID 1908 wrote to memory of 536	1908	Solaris.exe	90
PID 1908 wrote to memory of 3652	1908	Solaris.exe	91
PID 1908 wrote to memory of 3652	1908	Solaris.exe	91
PID 1908 wrote to memory of 4048	1908	Solaris.exe	92
PID 1908 wrote to memory of 4048	1908	Solaris.exe	92

C:\Users\Admin\AppData\Local\Temp\SolarisBETA\Solaris.exe
"C:\Users\Admin\AppData\Local\Temp\SolarisBETA\Solaris.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log" --mojo-platform-channel-handle=2120 --field-trial-handle=2128,i,2272622872393871340,7246379468325258040,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:2 --host-process-id=1908
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log" --mojo-platform-channel-handle=2924 --field-trial-handle=2128,i,2272622872393871340,7246379468325258040,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:8 --host-process-id=1908
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4436
- C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --log-file="C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log" --mojo-platform-channel-handle=2992 --field-trial-handle=2128,i,2272622872393871340,7246379468325258040,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:8 --host-process-id=1908
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --first-renderer-process --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3248 --field-trial-handle=2128,i,2272622872393871340,7246379468325258040,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --host-process-id=1908 /prefetch:1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3252 --field-trial-handle=2128,i,2272622872393871340,7246379468325258040,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --host-process-id=1908 /prefetch:1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3652
- C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe
  "C:\Users\Admin\AppData\Local\Temp\SolarisBETA\CefSharp.BrowserSubprocess.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --cefsharpexitsub --no-sandbox --log-file="C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3372 --field-trial-handle=2128,i,2272622872393871340,7246379468325258040,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --host-process-id=1908 /prefetch:1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CEF\User Data\LocalPrefs.json

Filesize
738B

MD5
4f780472301b1f2b33540fbcbb9c9407

SHA1
79e502d461157deb75e73a200523a4992f96bd0d

SHA256
d333d8d7f6c12d0fd04f1589f15b706826f2f6d4e3816255b49ba8facf085776

SHA512
433f8efe672059caef808d5efe8d87dc658bdfc937842c06546ad234c97bbb6af41688002f5b3428e058d4a864f2c70e85bc7d9cae61f09b0f160d75e7ef06d3

Download Submit
C:\Users\Admin\AppData\Local\CEF\User Data\LocalPrefs.json~RFe587cdc.TMP

Filesize
529B

MD5
10a19ed3dc959fd1c25055e53be9bb91

SHA1
fdaffbfa06ba536fae8eb87c89850a4f7da3771b

SHA256
acaa8cee9da9686ecaff0c9bc90181e55e4b0694962b454dcfd2d6f686fe876a

SHA512
5f4786252881f8a8a884780e552cc8b7f7e184c32e362110bdd23c4cba267a5eb4b9a220c898230410587e8e6eac5506bf1057eeb5ebed3f1153f472cbac013e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SolarisBETA\debug.log

Filesize
23KB

MD5
faf1a5cc4ffd0480be8ac93bf23a880b

SHA1
df3194757817333bb5d440bc6e031d54f45bb7aa

SHA256
d3aa6f2eb04d3d16cd2bc70f6984f5de8656ebfe944227798e2328e8063b3684

SHA512
1e6b0ea283e708224af100da32a84a148722e59e87f08ee386dd7337be25608f827472eba2e5f9456e041f442c49795163d0e8bfcb4732493e125e6595b67969

Download Submit
memory/536-40-0x000001EB57750000-0x000001EB58750000-memory.dmp

Filesize
16.0MB

Download
memory/1908-31-0x0000010CF3A20000-0x0000010CF3A42000-memory.dmp

Filesize
136KB

Download
memory/1908-4-0x0000010CE3A10000-0x0000010CE3A24000-memory.dmp

Filesize
80KB

Download
memory/1908-6-0x0000010CE3A80000-0x0000010CE3ACA000-memory.dmp

Filesize
296KB

Download
memory/1908-7-0x0000010CE3BF0000-0x0000010CE3DB1000-memory.dmp

Filesize
1.8MB

Download
memory/1908-1-0x00007FFFCC023000-0x00007FFFCC025000-memory.dmp

Filesize
8KB

Download
memory/1908-14-0x0000010CF2AD0000-0x0000010CF2B82000-memory.dmp

Filesize
712KB

Download
memory/1908-5-0x0000010CE3B10000-0x0000010CE3BF0000-memory.dmp

Filesize
896KB

Download
memory/1908-16-0x0000010CF2B90000-0x0000010CF2C06000-memory.dmp

Filesize
472KB

Download
memory/1908-17-0x00007FFFCC020000-0x00007FFFCCAE1000-memory.dmp

Filesize
10.8MB

Download
memory/1908-50-0x00007FFFCC023000-0x00007FFFCC025000-memory.dmp

Filesize
8KB

Download
memory/1908-0-0x0000010CC6A60000-0x0000010CC6A88000-memory.dmp

Filesize
160KB

Download
memory/1908-32-0x0000010CF39B0000-0x0000010CF39CE000-memory.dmp

Filesize
120KB

Download
memory/1908-34-0x0000010CE3DC0000-0x0000010CE4DC0000-memory.dmp

Filesize
16.0MB

Download
memory/1908-2-0x0000010CE1330000-0x0000010CE1544000-memory.dmp

Filesize
2.1MB

Download
memory/1908-3-0x00007FFFCC020000-0x00007FFFCCAE1000-memory.dmp

Filesize
10.8MB

Download
memory/1908-52-0x00007FFFCC020000-0x00007FFFCCAE1000-memory.dmp

Filesize
10.8MB

Download
memory/1908-51-0x00007FFFCC020000-0x00007FFFCCAE1000-memory.dmp

Filesize
10.8MB

Download
memory/2024-15-0x000002D2D5860000-0x000002D2D597F000-memory.dmp

Filesize
1.1MB

Download
memory/2024-37-0x000002D2D5980000-0x000002D2D6980000-memory.dmp

Filesize
16.0MB

Download
memory/2024-13-0x000002D2BB390000-0x000002D2BB396000-memory.dmp

Filesize
24KB

Download
memory/2300-39-0x00000237F0110000-0x00000237F1110000-memory.dmp

Filesize
16.0MB

Download
memory/3652-41-0x0000023562090000-0x0000023563090000-memory.dmp

Filesize
16.0MB

Download
memory/4048-42-0x000002189EFF0000-0x000002189FFF0000-memory.dmp

Filesize
16.0MB

Download
memory/4436-38-0x0000017BA1BE0000-0x0000017BA2BE0000-memory.dmp

Filesize
16.0MB

Download