agenttesla | b86258bbf5182d3da8292cbff6262a90cef9dd418fd8b6706fde5747662da2ae

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/05/2024, 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shipping Documents inv. 523435300XX.exe
Size

1.1MB
MD5

efae427357884a8d496facd0298f6af8
SHA1

a69384c7d0d889050d55e557b51e97aa8a3554f7
SHA256

b86258bbf5182d3da8292cbff6262a90cef9dd418fd8b6706fde5747662da2ae
SHA512

fa5c041de19a1c812351cad0eb2b040677584969838f37e4e752e9abb85c9db78488f5371015d08e39a33dcbddbc9292f28da23fddea1c5dbfab1ea252ef3a52
SSDEEP

24576:NAHnh+eWsN3skA4RV1Hom2KXMmHazOnIiLQiAQJGyzq925:sh+ZkldoPK8YazOIiLQiRYyzV

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jBpFfg = "C:\\Users\\Admin\\AppData\\Roaming\\jBpFfg\\jBpFfg.exe"	RegSvcs.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4272 set thread context of 4588	4272	Shipping Documents inv. 523435300XX.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4588	RegSvcs.exe
4588	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4272	Shipping Documents inv. 523435300XX.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4588	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4272	Shipping Documents inv. 523435300XX.exe
4272	Shipping Documents inv. 523435300XX.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4272	Shipping Documents inv. 523435300XX.exe
4272	Shipping Documents inv. 523435300XX.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 4588	4272	Shipping Documents inv. 523435300XX.exe	85
PID 4272 wrote to memory of 4588	4272	Shipping Documents inv. 523435300XX.exe	85
PID 4272 wrote to memory of 4588	4272	Shipping Documents inv. 523435300XX.exe	85
PID 4272 wrote to memory of 4588	4272	Shipping Documents inv. 523435300XX.exe	85

C:\Users\Admin\AppData\Local\Temp\Shipping Documents inv. 523435300XX.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Documents inv. 523435300XX.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipping Documents inv. 523435300XX.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut45C3.tmp

Filesize
262KB

MD5
d5502a154cda81ef84937cbadfb0b903

SHA1
0d71ed2fd1095d422c4869618ce6820b5e2d32c4

SHA256
a7d3016a4769b885f55436a7dd9fae812ae34ef256fe339dd18d170db05e6344

SHA512
2a9c362aefe1967987be6e654041a6cc89af876647f8d14d216f016caca8e42c0b64ca744ae5b443e090d5a18f8720e7726f001859c97e6515d531ef9951f923

Download Submit
memory/4272-12-0x0000000001850000-0x0000000001854000-memory.dmp

Filesize
16KB

Download
memory/4588-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4588-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4588-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4588-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4588-17-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/4588-18-0x0000000002950000-0x00000000029A4000-memory.dmp

Filesize
336KB

Download
memory/4588-19-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/4588-20-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/4588-22-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/4588-23-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/4588-21-0x0000000005040000-0x0000000005092000-memory.dmp

Filesize
328KB

Download
memory/4588-25-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-37-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-83-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-81-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-77-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-75-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-73-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-71-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-69-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-67-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-65-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-63-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-61-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-57-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-55-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-53-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-51-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-49-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-47-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-43-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-41-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-39-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-35-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-33-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-32-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-29-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-27-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-79-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-59-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-45-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-24-0x0000000005040000-0x000000000508D000-memory.dmp

Filesize
308KB

Download
memory/4588-1056-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download
memory/4588-1057-0x0000000005280000-0x00000000052E6000-memory.dmp

Filesize
408KB

Download
memory/4588-1059-0x0000000006580000-0x00000000065D0000-memory.dmp

Filesize
320KB

Download
memory/4588-1060-0x0000000006670000-0x0000000006702000-memory.dmp

Filesize
584KB

Download
memory/4588-1061-0x00000000065E0000-0x00000000065EA000-memory.dmp

Filesize
40KB

Download
memory/4588-1062-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4588-1063-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/4588-1064-0x0000000074020000-0x00000000747D0000-memory.dmp

Filesize
7.7MB

Download