agenttesla | 713d258a9f5522e345d7ecf7b82e2f69c8eaf53536ccb9d582e27d0d981861fb

Analysis

max time kernel
104s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe
Size

1.1MB
MD5

349d723ecd0a2370dd03befb829bbfe2
SHA1

91035d07ec0a4f68cdf21a346f08a36c251cf553
SHA256

713d258a9f5522e345d7ecf7b82e2f69c8eaf53536ccb9d582e27d0d981861fb
SHA512

68e7fe24bae4a7e7e7272e37013e9d852d43a7d025bcec8354bca30ff7873f0ae5495cad39ad02fae8a43c9711ecdcddd871e12bd1d95c9d6874bb81f77bbdd1
SSDEEP

24576:bAHnh+eWsN3skA4RV1Hom2KXMmHam7t1SkxMEpXCm1cv7H5:2h+ZkldoPK8Yam7zS0npSmqvN

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5704903332:AAGQ75Wg6lHVUpPODprifDQYP0_98wUeols/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	api.ipify.org
16	api.ipify.org
17	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5112 set thread context of 4308	5112	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4308	RegSvcs.exe
4308	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5112	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5112	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe
5112	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
5112	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe
5112	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 4308	5112	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	85
PID 5112 wrote to memory of 4308	5112	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	85
PID 5112 wrote to memory of 4308	5112	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	85
PID 5112 wrote to memory of 4308	5112	SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe	85

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.AutoIt.1390.21633.8031.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut2E72.tmp

Filesize
263KB

MD5
a919781d7c42fb911b1ea668f7606c06

SHA1
8f8eb180558b2a207ab50ee34ddfb649a5f975b8

SHA256
76bf59223dc44cbbcdebd307d450aad401731fbd5a1649d1c6840ce668faa055

SHA512
67941697498177a82063f5064b5cda2a9849d6445339c5707d3e91beda263305b63f10ac25a576bfda34080089ef5e11d29576c142c2c54e84df623f6377b6be

Download Submit
memory/4308-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4308-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4308-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4308-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4308-17-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/4308-18-0x0000000002900000-0x0000000002956000-memory.dmp

Filesize
344KB

Download
memory/4308-19-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4308-20-0x0000000005580000-0x0000000005B24000-memory.dmp

Filesize
5.6MB

Download
memory/4308-22-0x0000000004F40000-0x0000000004F94000-memory.dmp

Filesize
336KB

Download
memory/4308-23-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4308-21-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4308-65-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-67-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-83-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-81-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-79-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-75-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-73-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-71-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-69-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-63-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-59-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-57-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-55-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-53-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-1070-0x0000000005140000-0x00000000051A6000-memory.dmp

Filesize
408KB

Download
memory/4308-51-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-49-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-45-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-43-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-41-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-39-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-35-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-33-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-31-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-29-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-27-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-1071-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4308-25-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-24-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-77-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-61-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-47-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-37-0x0000000004F40000-0x0000000004F8E000-memory.dmp

Filesize
312KB

Download
memory/4308-1072-0x0000000006610000-0x0000000006660000-memory.dmp

Filesize
320KB

Download
memory/4308-1073-0x0000000006700000-0x0000000006792000-memory.dmp

Filesize
584KB

Download
memory/4308-1074-0x0000000006680000-0x000000000668A000-memory.dmp

Filesize
40KB

Download
memory/4308-1075-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4308-1076-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/4308-1077-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/5112-12-0x0000000002A90000-0x0000000002A94000-memory.dmp

Filesize
16KB

Download