agenttesla | 713d258a9f5522e345d7ecf7b82e2f69c8eaf53536ccb9d582e27d0d981861fb

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe
Size

1.1MB
MD5

349d723ecd0a2370dd03befb829bbfe2
SHA1

91035d07ec0a4f68cdf21a346f08a36c251cf553
SHA256

713d258a9f5522e345d7ecf7b82e2f69c8eaf53536ccb9d582e27d0d981861fb
SHA512

68e7fe24bae4a7e7e7272e37013e9d852d43a7d025bcec8354bca30ff7873f0ae5495cad39ad02fae8a43c9711ecdcddd871e12bd1d95c9d6874bb81f77bbdd1
SSDEEP

24576:bAHnh+eWsN3skA4RV1Hom2KXMmHam7t1SkxMEpXCm1cv7H5:2h+ZkldoPK8Yam7zS0npSmqvN

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5704903332:AAGQ75Wg6lHVUpPODprifDQYP0_98wUeols/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org
6	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
888	RegSvcs.exe
888	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe
1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe
1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29
PID 1984 wrote to memory of 888	1984	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	29

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\outvaunts

Filesize
263KB

MD5
a919781d7c42fb911b1ea668f7606c06

SHA1
8f8eb180558b2a207ab50ee34ddfb649a5f975b8

SHA256
76bf59223dc44cbbcdebd307d450aad401731fbd5a1649d1c6840ce668faa055

SHA512
67941697498177a82063f5064b5cda2a9849d6445339c5707d3e91beda263305b63f10ac25a576bfda34080089ef5e11d29576c142c2c54e84df623f6377b6be

Download Submit
memory/888-57-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-70-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/888-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/888-16-0x00000000741EE000-0x00000000741EF000-memory.dmp

Filesize
4KB

Download
memory/888-17-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/888-18-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/888-19-0x0000000000B90000-0x0000000000BE4000-memory.dmp

Filesize
336KB

Download
memory/888-20-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/888-72-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-81-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-115-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/888-78-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-48-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-74-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-53-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-68-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-66-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-64-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-63-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-60-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-1071-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/888-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/888-55-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-76-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-46-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-44-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-42-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-40-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-38-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-36-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-34-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-32-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-30-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-28-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-26-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-24-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-22-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-21-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-58-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-50-0x0000000000B90000-0x0000000000BDE000-memory.dmp

Filesize
312KB

Download
memory/888-1068-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/888-1069-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/888-1070-0x00000000741EE000-0x00000000741EF000-memory.dmp

Filesize
4KB

Download
memory/1984-11-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download