agenttesla | 4ef10e7296fb6c5df039a4b95147b1cb4482bdbee0a097863fe345b295302cc9

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA.exe
Size

1.1MB
MD5

d78f068c7ee6b269428e03e62f6c55a2
SHA1

af2bb266fce49374845566159301ee6583b11129
SHA256

4ef10e7296fb6c5df039a4b95147b1cb4482bdbee0a097863fe345b295302cc9
SHA512

c5fb45464a94fec8dc7c13c2bb863526a4a13df182cbc6740ba6f52bd685107fc849240e8d6859a970748c063a587f41fb5004c5be9fbdadcec7f6a813acf269
SSDEEP

24576:IAHnh+eWsN3skA4RV1Hom2KXMmHaXExQu/4wf7oUn5:Ph+ZkldoPK8YaXE7/5fMA

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5786264459:AAFiRqFtUxpuUuFFLRisUX4PeZ4dtd8Y-8A/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	api.ipify.org
16	ip-api.com
14	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4832 set thread context of 4740	4832	SOA.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4740	RegSvcs.exe
4740	RegSvcs.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3432	SOA.exe
3308	SOA.exe
4832	SOA.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3432	SOA.exe
3432	SOA.exe
3308	SOA.exe
3308	SOA.exe
4832	SOA.exe
4832	SOA.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3432	SOA.exe
3432	SOA.exe
3308	SOA.exe
3308	SOA.exe
4832	SOA.exe
4832	SOA.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 4144	3432	SOA.exe	84
PID 3432 wrote to memory of 4144	3432	SOA.exe	84
PID 3432 wrote to memory of 4144	3432	SOA.exe	84
PID 3432 wrote to memory of 3308	3432	SOA.exe	85
PID 3432 wrote to memory of 3308	3432	SOA.exe	85
PID 3432 wrote to memory of 3308	3432	SOA.exe	85
PID 3308 wrote to memory of 4580	3308	SOA.exe	86
PID 3308 wrote to memory of 4580	3308	SOA.exe	86
PID 3308 wrote to memory of 4580	3308	SOA.exe	86
PID 3308 wrote to memory of 4832	3308	SOA.exe	87
PID 3308 wrote to memory of 4832	3308	SOA.exe	87
PID 3308 wrote to memory of 4832	3308	SOA.exe	87
PID 4832 wrote to memory of 4740	4832	SOA.exe	89
PID 4832 wrote to memory of 4740	4832	SOA.exe	89
PID 4832 wrote to memory of 4740	4832	SOA.exe	89
PID 4832 wrote to memory of 4740	4832	SOA.exe	89

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
  2⤵
  PID:4144
- C:\Users\Admin\AppData\Local\Temp\SOA.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
    3⤵
    PID:4580
- - C:\Users\Admin\AppData\Local\Temp\SOA.exe
    "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut27EB.tmp

Filesize
262KB

MD5
52d55df0e5d5d2ee3b083311cf668d24

SHA1
135c7c0962a249eb4cdcfbc4e60dd5844cb653f3

SHA256
47e961a4ebba8406a024861bd4a7c8be343a56ba2a7251693c63e247739bc715

SHA512
4e0b310611535d6e432f9a55fd18c5ecd59ed84050a3e35a0a0be0e08402b6a694f2e37a5a56df597c726c6421af4a8bc3126370d9031f5aca42abcd3d6c0af2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut2CDD.tmp

Filesize
9KB

MD5
a5102b2945e8abd281be7f88df2576f9

SHA1
58580a5c74ebc33354b43eb0b186a052df91da74

SHA256
ebc63fda1008053b9cf14f2f17815a4c0377007ed7a88b41c9493983e7beb20d

SHA512
83d412cbcf484f5a5ee0bf204dfb72b23cc9364b59e1160f612862a2df95ba8e2bfb7e8f9350e5cad9e54752515185b89921d346e3010ff8e48c5d9b8b8f22ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ultraradicalism

Filesize
28KB

MD5
d02cadf9ecc19ea0853252a133256c33

SHA1
45f3ced2f2d6c99d864cdada3bbcb9230eec389f

SHA256
ca2268c77d218c000b73cee85172aaed554f5f9d5b9a8c84877c7e7e6b57036e

SHA512
4d15546a7e8cd83175f08dd764dd28472f9995ac1bffdfd9ec63f6354a0e4d85d2769da9a10b361586add81d907207e3606cd2a572e11340eb28fc479eacb220

Download Submit
memory/3432-12-0x0000000003820000-0x0000000003824000-memory.dmp

Filesize
16KB

Download
memory/4740-85-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-77-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-44-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4740-42-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4740-45-0x0000000005940000-0x0000000005994000-memory.dmp

Filesize
336KB

Download
memory/4740-46-0x0000000006030000-0x00000000065D4000-memory.dmp

Filesize
5.6MB

Download
memory/4740-47-0x0000000005A20000-0x0000000005A74000-memory.dmp

Filesize
336KB

Download
memory/4740-57-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-107-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-105-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-103-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-101-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-99-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-97-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-95-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-93-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-89-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-79-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-41-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4740-83-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-43-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4740-81-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-87-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-75-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-73-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-71-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-69-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-67-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-65-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-63-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-61-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-59-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-55-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-53-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-91-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-51-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-49-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-48-0x0000000005A20000-0x0000000005A6D000-memory.dmp

Filesize
308KB

Download
memory/4740-1094-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/4740-1095-0x0000000006FD0000-0x0000000007020000-memory.dmp

Filesize
320KB

Download
memory/4740-1096-0x00000000070C0000-0x0000000007152000-memory.dmp

Filesize
584KB

Download
memory/4740-1097-0x0000000007050000-0x000000000705A000-memory.dmp

Filesize
40KB

Download
memory/4740-1098-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download