agenttesla | 4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531

Analysis

max time kernel
121s
max time network
141s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe
Size

1.6MB
MD5

17adc464aa58185418caa49dd6b1c93a
SHA1

56d94c8c288274bfff6499cee5ad30f23d39acff
SHA256

4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531
SHA512

b93b8e823e366a576cf9019cb96feee21409ce476b42f6022c426e03b92948f86df3e5937a901fb8bd9d900db44a5d94caad26371f9c6331db1b7d4a66ec23f1
SSDEEP

24576:1Wtb3BEWpvYCeq4XBFomOe4vwX+wExjd9SvtpvVQtrV+rBUA/6aXOieGAv:YZBEWSX8mOe44X1ZvtJV2a9xrAv

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
dahlia.hostnownow.com
Port:
587
Username:
[email protected]
Password:
Foundation+111
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2644 powershell.exe
2876 powershell.exe
2440 powershell.exe
1128 powershell.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 api.ipify.org
3 api.ipify.org
4 ip-api.com

pid	process
2644	powershell.exe
2876	powershell.exe
2440	powershell.exe
1128	powershell.exe

flow	ioc
2	api.ipify.org
3	api.ipify.org
4	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exevbc.exe

description	pid	process	target process
PID 2132 set thread context of 2740	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	vbc.exe
PID 2740 set thread context of 2884	2740	vbc.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2648 schtasks.exe
2416 schtasks.exe

pid	process
2648	schtasks.exe
2416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exepowershell.exepowershell.exevbc.exepowershell.exepowershell.exevbc.exe

pid	process
2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe
2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe
2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe
2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe
2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe
2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe
2876	powershell.exe
2644	powershell.exe
2740	vbc.exe
2740	vbc.exe
2740	vbc.exe
2740	vbc.exe
2740	vbc.exe
2440	powershell.exe
1128	powershell.exe
2740	vbc.exe
2884	vbc.exe
2884	vbc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exepowershell.exepowershell.exevbc.exepowershell.exepowershell.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2740	vbc.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2884	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vbc.exe

pid process

2884 vbc.exe

pid	process
2884	vbc.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exevbc.exe

description	pid	process	target process
PID 2132 wrote to memory of 2644	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	powershell.exe
PID 2132 wrote to memory of 2644	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	powershell.exe
PID 2132 wrote to memory of 2644	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	powershell.exe
PID 2132 wrote to memory of 2644	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	powershell.exe
PID 2132 wrote to memory of 2876	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	powershell.exe
PID 2132 wrote to memory of 2876	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	powershell.exe
PID 2132 wrote to memory of 2876	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	powershell.exe
PID 2132 wrote to memory of 2876	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	powershell.exe
PID 2132 wrote to memory of 2648	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	schtasks.exe
PID 2132 wrote to memory of 2648	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	schtasks.exe
PID 2132 wrote to memory of 2648	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	schtasks.exe
PID 2132 wrote to memory of 2648	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	schtasks.exe
PID 2132 wrote to memory of 2740	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	vbc.exe
PID 2132 wrote to memory of 2740	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	vbc.exe
PID 2132 wrote to memory of 2740	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	vbc.exe
PID 2132 wrote to memory of 2740	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	vbc.exe
PID 2132 wrote to memory of 2740	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	vbc.exe
PID 2132 wrote to memory of 2740	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	vbc.exe
PID 2132 wrote to memory of 2740	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	vbc.exe
PID 2132 wrote to memory of 2740	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	vbc.exe
PID 2132 wrote to memory of 2740	2132	4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe	vbc.exe
PID 2740 wrote to memory of 2440	2740	vbc.exe	powershell.exe
PID 2740 wrote to memory of 2440	2740	vbc.exe	powershell.exe
PID 2740 wrote to memory of 2440	2740	vbc.exe	powershell.exe
PID 2740 wrote to memory of 2440	2740	vbc.exe	powershell.exe
PID 2740 wrote to memory of 1128	2740	vbc.exe	powershell.exe
PID 2740 wrote to memory of 1128	2740	vbc.exe	powershell.exe
PID 2740 wrote to memory of 1128	2740	vbc.exe	powershell.exe
PID 2740 wrote to memory of 1128	2740	vbc.exe	powershell.exe
PID 2740 wrote to memory of 2416	2740	vbc.exe	schtasks.exe
PID 2740 wrote to memory of 2416	2740	vbc.exe	schtasks.exe
PID 2740 wrote to memory of 2416	2740	vbc.exe	schtasks.exe
PID 2740 wrote to memory of 2416	2740	vbc.exe	schtasks.exe
PID 2740 wrote to memory of 2884	2740	vbc.exe	vbc.exe
PID 2740 wrote to memory of 2884	2740	vbc.exe	vbc.exe
PID 2740 wrote to memory of 2884	2740	vbc.exe	vbc.exe
PID 2740 wrote to memory of 2884	2740	vbc.exe	vbc.exe
PID 2740 wrote to memory of 2884	2740	vbc.exe	vbc.exe
PID 2740 wrote to memory of 2884	2740	vbc.exe	vbc.exe
PID 2740 wrote to memory of 2884	2740	vbc.exe	vbc.exe
PID 2740 wrote to memory of 2884	2740	vbc.exe	vbc.exe
PID 2740 wrote to memory of 2884	2740	vbc.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe
"C:\Users\Admin\AppData\Local\Temp\4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XXZVezKG.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XXZVezKG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp"
2⤵
- Creates scheduled task(s)
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cUsFfu.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cUsFfu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB3A6.tmp"
3⤵
- Creates scheduled task(s)
PID:2416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6AC4.tmp

Filesize
1KB

MD5
5f4f1a2e5c131042b92bf2612d111bf5

SHA1
c881d46a2fd197b91126c4955e51f1c4e6ce6c25

SHA256
c62972e0fcac7e0a16d765b4d39939e49ea4de0ae62da41d4760a88f2ebe6ff5

SHA512
b5115260769aed388d3418a55575a623092d671bd824ffd2272ee68cf2ebc3f014cc3e586452bf617a439b6f7052f005a7cafc223d17da1c1c2978be1022106e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB3A6.tmp

Filesize
1KB

MD5
2d1d02cf8d4d65136bb49d2a3e386c47

SHA1
c9c84ad363bdc48c376d86c1f71b21cdfc11404c

SHA256
af6fd2e3f329505fa40673921bba29e1c8089df97bffd9b9640cca111b223586

SHA512
baa02c6f730776673fd0496369ed2f36f5aa4d46d747566f3bc3509a04c7fc80397b7f311c39e43156f5d327358c7ed54cb857ea1c98862977cdf5e2593385bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c8aee10e7c746f60f954586e61072399

SHA1
b0922b0a3c0f0213d5827d24b927abac7c2febe1

SHA256
5c4d8207918d4b8e535ecb9e984f29790ff42f24065d503ff66646739b37c08d

SHA512
cdfc237f9c0cecebe2664878b193bc7a358d3e96e79725c65ce3616dc155c755ce55c554bd806107716c28a59feca819c50ffcd1b086bced9fb82d42f9206c53

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2132-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x00000000013E0000-0x0000000001570000-memory.dmp

Filesize
1.6MB

Download
memory/2132-2-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2132-3-0x00000000004D0000-0x00000000004F2000-memory.dmp

Filesize
136KB

Download
memory/2132-4-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2132-5-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2132-6-0x0000000004BD0000-0x0000000004CEE000-memory.dmp

Filesize
1.1MB

Download
memory/2132-36-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-55-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-42-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-23-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-21-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-44-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-65-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-66-0x00000000002B0000-0x00000000002D2000-memory.dmp

Filesize
136KB

Download
memory/2740-63-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-62-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-59-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-58-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-56-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-28-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-53-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-52-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-50-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-49-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-48-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-43-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-29-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-39-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-38-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-37-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-35-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-30-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-34-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-33-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-32-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-67-0x0000000007010000-0x0000000007094000-memory.dmp

Filesize
528KB

Download
memory/2740-25-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2740-19-0x0000000000400000-0x00000000004DA000-memory.dmp

Filesize
872KB

Download
memory/2884-95-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-86-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2884-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download