agenttesla | a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe
Size

1.2MB
MD5

8cc057c58bd59166922b1a6fbf9a0ec7
SHA1

b4872f04759419dc561e3ff75fc81aac19408864
SHA256

a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8
SHA512

ca22d84496d447d687840d0a50a95e19820cf8954c7d3231bbaf8c08e17c7636a6474a5a3448ed4315fa8f63e424bdb9c4d2d49bf90b3d5e0a2963133447c585
SSDEEP

24576:AmAHnh+eWsN3skA4RV1Hom2KXMmHaSqZjj0k1iF2OsfTEE55X5:ABh+ZkldoPK8YaSsN14kfTEm

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	api.ipify.org
15	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 4536	1400	a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4536	RegSvcs.exe
4536	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1400	a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1400	a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe
1400	a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1400	a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe
1400	a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 4536	1400	a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe	85
PID 1400 wrote to memory of 4536	1400	a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe	85
PID 1400 wrote to memory of 4536	1400	a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe	85
PID 1400 wrote to memory of 4536	1400	a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe	85

C:\Users\Admin\AppData\Local\Temp\a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe
"C:\Users\Admin\AppData\Local\Temp\a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\a8d26936158b1aa8cd328768955b747c2f563dc95ed9245fd132befc7dedc3d8.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut50DF.tmp

Filesize
262KB

MD5
682f232a7b5ace724f2540315ee267ce

SHA1
c4b20ef860df43a861d3e174f3e5f679e7018797

SHA256
1558ca5eb218e0677be24c10ba8552d686d702f419721473b46c8071369c2d84

SHA512
f14d4c8ffa7fd80185474b7f8db2ef9f4f08dcb355f6dd8bae554d5f40d73dff206c35e7c010d0dced1ba6a7dc3823185f7afdccfcc3bd660f59b9cfe21fda1d

Download Submit
memory/1400-12-0x0000000000E00000-0x0000000000E04000-memory.dmp

Filesize
16KB

Download
memory/4536-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4536-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4536-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4536-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4536-17-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

Filesize
4KB

Download
memory/4536-18-0x0000000005040000-0x0000000005094000-memory.dmp

Filesize
336KB

Download
memory/4536-19-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/4536-20-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/4536-21-0x0000000005120000-0x0000000005172000-memory.dmp

Filesize
328KB

Download
memory/4536-49-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-57-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-81-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-79-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-77-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-75-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-73-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-71-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-69-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-67-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-63-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-61-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-59-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-56-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-53-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-51-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-47-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-45-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-43-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-41-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-39-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-37-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-35-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-33-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-31-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-29-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-27-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-25-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-23-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-22-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-65-0x0000000005120000-0x000000000516D000-memory.dmp

Filesize
308KB

Download
memory/4536-1052-0x00000000052E0000-0x0000000005346000-memory.dmp

Filesize
408KB

Download
memory/4536-1053-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download
memory/4536-1054-0x0000000006600000-0x0000000006650000-memory.dmp

Filesize
320KB

Download
memory/4536-1055-0x00000000066F0000-0x0000000006782000-memory.dmp

Filesize
584KB

Download
memory/4536-1056-0x0000000006670000-0x000000000667A000-memory.dmp

Filesize
40KB

Download
memory/4536-1057-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4536-1058-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

Filesize
4KB

Download
memory/4536-1059-0x0000000073F10000-0x00000000746C0000-memory.dmp

Filesize
7.7MB

Download