agenttesla | 18985da0864633bd764aa9d2760e4f28f0c0558a1baf0b0d855b74332079d021

Analysis

max time kernel
94s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roundcube account_recent_activities_June_06_24___eml.exe
Size

1.3MB
MD5

73dfd9de87af64f52cdf1aea89ff7802
SHA1

dec3e5c60f84ce967a20f08210d8112b37e51ec6
SHA256

76fb2ead4693296ca4bd449b262cc0ccc6527180d71da0a9dcfcdd8518df9651
SHA512

0982185fcc3d08d5993de5f93b8ee9016d8f9dc7a5915daac2b6db8d92d1f90ba19f83e2ffc094fd2e51ed6316ce98055767682fcc6061470babb937899a6300
SSDEEP

24576:BAHnh+eWsN3skA4RV1Hom2KXMmHa6GQqzL3EgZSBYr+ZZRjK5:Yh+ZkldoPK8YaiqzrwE

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.ppg-pa.com
Port:
587
Username:
[email protected]
Password:
DKKfy2001$

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Lityerses.vbs	Lityerses.exe

Executes dropped EXE 1 IoCs

pid	Process
1032	Lityerses.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	api.ipify.org
15	api.ipify.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00090000000233a3-15.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1032 set thread context of 4988	1032	Lityerses.exe	86

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4988	RegSvcs.exe
4988	RegSvcs.exe
4988	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1032	Lityerses.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2976	Roundcube account_recent_activities_June_06_24___eml.exe
2976	Roundcube account_recent_activities_June_06_24___eml.exe
1032	Lityerses.exe
1032	Lityerses.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2976	Roundcube account_recent_activities_June_06_24___eml.exe
2976	Roundcube account_recent_activities_June_06_24___eml.exe
1032	Lityerses.exe
1032	Lityerses.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4988	RegSvcs.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 1032	2976	Roundcube account_recent_activities_June_06_24___eml.exe	85
PID 2976 wrote to memory of 1032	2976	Roundcube account_recent_activities_June_06_24___eml.exe	85
PID 2976 wrote to memory of 1032	2976	Roundcube account_recent_activities_June_06_24___eml.exe	85
PID 1032 wrote to memory of 4988	1032	Lityerses.exe	86
PID 1032 wrote to memory of 4988	1032	Lityerses.exe	86
PID 1032 wrote to memory of 4988	1032	Lityerses.exe	86
PID 1032 wrote to memory of 4988	1032	Lityerses.exe	86

C:\Users\Admin\AppData\Local\Temp\Roundcube account_recent_activities_June_06_24___eml.exe
"C:\Users\Admin\AppData\Local\Temp\Roundcube account_recent_activities_June_06_24___eml.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\tilthead\Lityerses.exe
  "C:\Users\Admin\AppData\Local\Temp\Roundcube account_recent_activities_June_06_24___eml.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\Roundcube account_recent_activities_June_06_24___eml.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut3808.tmp

Filesize
265KB

MD5
ffbb243cab8a42d23fcffe74cb2f89e7

SHA1
4cb36f5f8521d677cb278c0f3c18bf6775036288

SHA256
f78e244d64f158c80157556ff28427a3425ee29c4febcef1537aeeef79d9efaf

SHA512
a7de504883292704e07af9eb662bac865a5e2667e60a9d5492d57ac410823514bf79e5ae33adb1fcce3eb245772c8adca5d263693d095d474d5afc524f82c030

Download Submit
C:\Users\Admin\AppData\Local\Temp\epistemology

Filesize
59KB

MD5
e72c2a592c998137337572a90904bf93

SHA1
0892025606bad2cd10f263256fecc3840ac4bc1f

SHA256
b5ad8bd5931d59375c06a77c59e1598ce1735c2d6547cbe0f0fbd0dfc4ad78b5

SHA512
8aa6370e96f6980ac0c9174ccf9209afe09f3f2e77a5645e05c179b1ee9d1f55adb3dd2c2a42ef26bcc0bcc4072c428069b46b65fdbb40a9d28ae7497f78f79c

Download Submit
C:\Users\Admin\AppData\Local\tilthead\Lityerses.exe

Filesize
1.3MB

MD5
73dfd9de87af64f52cdf1aea89ff7802

SHA1
dec3e5c60f84ce967a20f08210d8112b37e51ec6

SHA256
76fb2ead4693296ca4bd449b262cc0ccc6527180d71da0a9dcfcdd8518df9651

SHA512
0982185fcc3d08d5993de5f93b8ee9016d8f9dc7a5915daac2b6db8d92d1f90ba19f83e2ffc094fd2e51ed6316ce98055767682fcc6061470babb937899a6300

Download Submit
memory/2976-12-0x0000000000D60000-0x0000000000D64000-memory.dmp

Filesize
16KB

Download
memory/4988-35-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4988-36-0x000000007425E000-0x000000007425F000-memory.dmp

Filesize
4KB

Download
memory/4988-33-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4988-37-0x0000000002A90000-0x0000000002AE6000-memory.dmp

Filesize
344KB

Download
memory/4988-40-0x0000000004FC0000-0x0000000005014000-memory.dmp

Filesize
336KB

Download
memory/4988-41-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/4988-97-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-103-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-101-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-99-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-95-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-93-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-1137-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/4988-1136-0x0000000005180000-0x00000000051E6000-memory.dmp

Filesize
408KB

Download
memory/4988-91-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-89-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-85-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-83-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-79-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-77-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-75-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-73-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-72-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-69-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-67-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-66-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-63-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-62-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-59-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-87-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-81-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-57-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-55-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-53-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-51-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-49-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-47-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-45-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-43-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-42-0x0000000004FC0000-0x000000000500F000-memory.dmp

Filesize
316KB

Download
memory/4988-39-0x0000000005570000-0x0000000005B14000-memory.dmp

Filesize
5.6MB

Download
memory/4988-38-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download
memory/4988-34-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4988-32-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4988-1138-0x00000000065F0000-0x0000000006640000-memory.dmp

Filesize
320KB

Download
memory/4988-1139-0x00000000066E0000-0x000000000677C000-memory.dmp

Filesize
624KB

Download
memory/4988-1140-0x0000000006820000-0x00000000068B2000-memory.dmp

Filesize
584KB

Download
memory/4988-1141-0x00000000067B0000-0x00000000067BA000-memory.dmp

Filesize
40KB

Download
memory/4988-1142-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4988-1143-0x000000007425E000-0x000000007425F000-memory.dmp

Filesize
4KB

Download
memory/4988-1144-0x0000000074250000-0x0000000074A00000-memory.dmp

Filesize
7.7MB

Download