agenttesla | 713d258a9f5522e345d7ecf7b82e2f69c8eaf53536ccb9d582e27d0d981861fb

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 15:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe
Size

1.1MB
MD5

349d723ecd0a2370dd03befb829bbfe2
SHA1

91035d07ec0a4f68cdf21a346f08a36c251cf553
SHA256

713d258a9f5522e345d7ecf7b82e2f69c8eaf53536ccb9d582e27d0d981861fb
SHA512

68e7fe24bae4a7e7e7272e37013e9d852d43a7d025bcec8354bca30ff7873f0ae5495cad39ad02fae8a43c9711ecdcddd871e12bd1d95c9d6874bb81f77bbdd1
SSDEEP

24576:bAHnh+eWsN3skA4RV1Hom2KXMmHam7t1SkxMEpXCm1cv7H5:2h+ZkldoPK8Yam7zS0npSmqvN

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5704903332:AAGQ75Wg6lHVUpPODprifDQYP0_98wUeols/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org
6	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
888	RegSvcs.exe
888	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe
1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe
1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888

Network

DNS

api.ipify.org

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A

Response

api.ipify.org

IN A

172.67.74.152

api.ipify.org

IN A

104.26.13.205

api.ipify.org

IN A

104.26.12.205
GET

https://api.ipify.org/

RegSvcs.exe

Remote address:

172.67.74.152:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Host: api.ipify.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 30 May 2024 15:26:16 GMT
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 88bfbdd7bdcb7786-LHR
DNS

ip-api.com

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

RegSvcs.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Thu, 30 May 2024 15:26:16 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 55
X-Rl: 43

172.67.74.152:443

https://api.ipify.org/

tls, http

RegSvcs.exe

1.0kB
5.7kB
11
11

HTTP Request

GET https://api.ipify.org/

HTTP Response

200
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

RegSvcs.exe

264 B
307 B
4
3

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200

8.8.8.8:53

api.ipify.org

dns

RegSvcs.exe

59 B
107 B
1
1

DNS Request

api.ipify.org

DNS Response

172.67.74.152

104.26.13.205

104.26.12.205
8.8.8.8:53

ip-api.com

dns

RegSvcs.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\outvaunts

Filesize
263KB

MD5
a919781d7c42fb911b1ea668f7606c06

SHA1
8f8eb180558b2a207ab50ee34ddfb649a5f975b8

SHA256
76bf59223dc44cbbcdebd307d450aad401731fbd5a1649d1c6840ce668faa055

SHA512
67941697498177a82063f5064b5cda2a9849d6445339c5707d3e91beda263305b63f10ac25a576bfda34080089ef5e11d29576c142c2c54e84df623f6377b6be

Download Submit
memory/888-57-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-70-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/888-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/888-16-0x00000000741EE000-0x00000000741EF000-memory.dmp

Filesize
4KB

Download
memory/888-17-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/888-18-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/888-19-0x0000000000B90000-0x0000000000BE4000-memory.dmp

Filesize
336KB

Download
memory/888-20-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/888-72-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-81-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-115-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/888-78-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-48-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-74-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-53-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-68-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-66-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-64-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-63-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-60-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-1071-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/888-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/888-55-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-76-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-46-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-44-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-42-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-40-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-38-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-36-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-34-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-32-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-30-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-28-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-26-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-24-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-22-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-21-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-58-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-50-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-1068-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/888-1069-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/888-1070-0x00000000741EE000-0x00000000741EF000-memory.dmp

Filesize
4KB

Download
memory/1984-11-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download