agenttesla | 137fc43b5d74c425ea805babdbbdbe277a21111c01bf9d2e364d98481e3e95a8

Analysis

max time kernel
297s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release/Mono.Cecil.dll
Size

277KB
MD5

8df4d6b5dc1629fcefcdc20210a88eac
SHA1

16c661757ad90eb84228aa3487db11a2eac6fe64
SHA256

3e4288b32006fe8499b43a7f605bb7337931847a0aa79a33217a1d6d1a6c397e
SHA512

874b4987865588efb806a283b0e785fd24e8b1562026edd43050e150bce6c883134f3c8ad0f8c107b0fb1b26fce6ddcc7e344a5f55c3788dac35035b13d15174
SSDEEP

6144:iYOMWAEq+PAEwGQ9Xivs0s4EtS1Fv8jnLKdFvkPo2:AG+PpjQSHv8jA

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4796-5-0x000001199E210000-0x000001199E406000-memory.dmp	family_agenttesla

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SeroXen.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SeroXen.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	SeroXen.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SeroXen.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SeroXen.exe

pid process

4796 SeroXen.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SeroXen.exe

description pid process

Token: SeDebugPrivilege 1000 SeroXen.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

SeroXen.exe

pid process

4796 SeroXen.exe
4796 SeroXen.exe
4796 SeroXen.exe
4796 SeroXen.exe
4796 SeroXen.exe
4796 SeroXen.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

SeroXen.exe

pid process

4796 SeroXen.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SeroXen.exe

pid process

4796 SeroXen.exe

pid	process
4796	SeroXen.exe

description	pid	process
Token: SeDebugPrivilege	1000	SeroXen.exe

pid	process
4796	SeroXen.exe
4796	SeroXen.exe
4796	SeroXen.exe
4796	SeroXen.exe
4796	SeroXen.exe
4796	SeroXen.exe

pid	process
4796	SeroXen.exe

pid	process
4796	SeroXen.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\Mono.Cecil.dll,#1
1⤵
PID:3616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe
"C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe
"C:\Users\Admin\AppData\Local\Temp\Release\SeroXen.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Release\Profiles\Default.xml
Filesize
986B

MD5
878fd2a88f9e0bbf703bda0bd0b606b3

SHA1
338bdbeab30c64382ae727092518c7affc87e74d

SHA256
6f5dff5587f119059a35241e684555fb33c0d7921c64e24176148df0a05edafb

SHA512
0f9552b8fe357070ea2a8c4ec9c17bd3b78172e0f81fe094db3f02a373bd1d59176a7a2635300d3ddab6f44e5920f9f3a43a86686c7866caab9871df45e8081d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\Profiles\Default.xml
Filesize
573B

MD5
bffc7dc598bcf4bda005c69c09e5d3de

SHA1
53cb4f0307f5bacdac9278a964ef58283bca3e11

SHA256
7b92e3dc71bd97ea0848a7beb0597cbc7b34569a2bdb9a03e1d5dfe395a27b0d

SHA512
b5c4ddafdf9e138ce0f9019d7bbe39fcea107e3fd61e68b7dd7138ce63a40738629975f6c56536ed8677e88db3c94b68d8d7aae218c89ebff707f61f58c906a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\Profiles\Default.xml
Filesize
986B

MD5
cd066e8abf5726b690a2ca6682f741c2

SHA1
947d4ccc8a42e3e836acb49cfa71ac6a05c54f1d

SHA256
a673e6e873daf7564be855f721ee374247269c385cbbdf612d29f4a29c3938a6

SHA512
0bb6832236eb9c761d3d203619400cc71057e37347507773caaf0bb9ed61942712813aaf0ee2dc5d96d6ef7bc6ac1ce1a715eac581c0e4b116877925d6de1739

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\settings.xml
Filesize
51B

MD5
8af01757cc429d1347430084913566d1

SHA1
e4ec570a0b1a5c99e0613da232eeff4b42ffaa75

SHA256
f1a33cd5b1c9368f73b8ff144bed026664577317df27baff774b2bd2acbd52ef

SHA512
3edbca5a661d0fbdd0f8aac994b50e3f844e1d6ee6bfeadf0d8aa89fab1b7cec69b9f687a704c7a989726bb676604e2cdb75ca30441e94a05fdd4027ec9a494a

Download Submit
memory/1000-0-0x00007FF8E75C3000-0x00007FF8E75C5000-memory.dmp

Filesize
8KB

Download
memory/1000-1-0x000001BCFC160000-0x000001BCFC532000-memory.dmp

Filesize
3.8MB

Download
memory/1000-2-0x00007FF8E75C0000-0x00007FF8E8081000-memory.dmp

Filesize
10.8MB

Download
memory/1000-3-0x00007FF8E75C0000-0x00007FF8E8081000-memory.dmp

Filesize
10.8MB

Download
memory/4796-5-0x000001199E210000-0x000001199E406000-memory.dmp

Filesize
2.0MB

Download
memory/4796-8-0x000001199E9E0000-0x000001199E9F0000-memory.dmp

Filesize
64KB

Download