agenttesla | a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 05:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe
Size

1.2MB
MD5

3f02a2516380a49f81ae8e15e7f548cc
SHA1

282b7fca5197f2257c91e61e5dbbcfdcab9df9eb
SHA256

a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017
SHA512

4c2d392b2bf2cd3c1a14a5bd7a2aef9b7d84c46c0c0180979bc21bdc3e9ef4a069c8e97d843a43f0cc984003e176b719a21705f4a98ae74a4e9a521e527997a4
SSDEEP

24576:iAHnh+eWsN3skA4RV1Hom2KXMmHaYdQOhQHQVQH8bj5QF5:lh+ZkldoPK8YaYibHP

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	api.ipify.org
20	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2456 set thread context of 1892	2456	a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1892	RegSvcs.exe
1892	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2456	a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2456	a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe
2456	a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2456	a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe
2456	a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1892	2456	a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe	90
PID 2456 wrote to memory of 1892	2456	a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe	90
PID 2456 wrote to memory of 1892	2456	a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe	90
PID 2456 wrote to memory of 1892	2456	a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe	90

C:\Users\Admin\AppData\Local\Temp\a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe
"C:\Users\Admin\AppData\Local\Temp\a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\a38d11fe4e93ba2f88c70c336a98b0f093508fea47967b5a6a7784a7e5a90017.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1332 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:5304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autF0B9.tmp

Filesize
262KB

MD5
c3f40d425d3a0ca4b4b41b6caaa0d718

SHA1
098602fbfffaa0498747bf00192e62329e17685e

SHA256
ef7c97b98f5b48fb212a0644860f18db870283d0e81a99af7103fe40f8b111d9

SHA512
9c71fe0c3212e04a8afa02c75e92cf620c645a5f2e75ffed1f17580f2ac6d37e8b9a990ea88061df7aa756719f480dfbf4cd437f7f0f2f593e0a98cd49aefce0

Download Submit
memory/1892-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1892-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1892-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1892-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1892-17-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

Filesize
4KB

Download
memory/1892-18-0x00000000031C0000-0x0000000003214000-memory.dmp

Filesize
336KB

Download
memory/1892-19-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/1892-20-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/1892-21-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/1892-22-0x0000000006030000-0x00000000065D4000-memory.dmp

Filesize
5.6MB

Download
memory/1892-23-0x00000000059E0000-0x0000000005A32000-memory.dmp

Filesize
328KB

Download
memory/1892-24-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-27-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-83-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-81-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-79-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-77-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-75-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-73-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-71-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-69-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-65-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-63-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-62-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-59-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-57-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-55-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-53-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-51-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-49-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-47-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-43-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-41-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-39-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-37-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-35-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-33-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-31-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-25-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-67-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-45-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-29-0x00000000059E0000-0x0000000005A2D000-memory.dmp

Filesize
308KB

Download
memory/1892-1054-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/1892-1055-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/1892-1056-0x0000000007000000-0x0000000007050000-memory.dmp

Filesize
320KB

Download
memory/1892-1057-0x00000000070F0000-0x0000000007182000-memory.dmp

Filesize
584KB

Download
memory/1892-1058-0x0000000007060000-0x000000000706A000-memory.dmp

Filesize
40KB

Download
memory/1892-1059-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1892-1060-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

Filesize
4KB

Download
memory/1892-1061-0x0000000073FA0000-0x0000000074750000-memory.dmp

Filesize
7.7MB

Download
memory/2456-12-0x0000000004060000-0x0000000004064000-memory.dmp

Filesize
16KB

Download