agenttesla | 48d134a16273121969501304718b77ec2325bafb9951a2ae501badc8cf738be4

Analysis

max time kernel
141s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA.exe
Size

1.2MB
MD5

a6e9d4fa94edb21aa16b167dfec4f624
SHA1

1b9f0d78dd27baa672c3d904b8bb0e8e9bdf7117
SHA256

f0a931ba453d846bac36ab75d1e79847170cd8f562ccb117e92133434d301abf
SHA512

1f64657ca18349d7977797b47414969494ab914387d1175b1cfeae4cda4f066111059eec2aa66fcf8333398934e764c740ee2d71453ada91fcd71c6a8c66bc64
SSDEEP

24576:/AHnh+eWsN3skA4RV1Hom2KXMmHaWe2HXtKxksRk9bEC5:ih+ZkldoPK8YaWegt+RR8d

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1508 set thread context of 4476	1508	SOA.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4476	RegSvcs.exe
4476	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1508	SOA.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1508	SOA.exe
1508	SOA.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1508	SOA.exe
1508	SOA.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 4476	1508	SOA.exe	85
PID 1508 wrote to memory of 4476	1508	SOA.exe	85
PID 1508 wrote to memory of 4476	1508	SOA.exe	85
PID 1508 wrote to memory of 4476	1508	SOA.exe	85

C:\Users\Admin\AppData\Local\Temp\SOA.exe
"C:\Users\Admin\AppData\Local\Temp\SOA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut5360.tmp

Filesize
262KB

MD5
e9f5b1621a3cd5ae5586187289804b7c

SHA1
b455b4248a956d6a6907a9e00e9e8a37c808154c

SHA256
d86d071e35fcedc86965dcb306d2bff1971d34f8212122f7bc7363e8d95bfdd8

SHA512
8bba19758778578340f307d37b4128840a0794b69c1f271c8c89e8e2bde828cbc9920ea5f2200f35338986c73d647c4ae743ea812c4cf86ac700d95ceb182b11

Download Submit
memory/1508-12-0x0000000003FB0000-0x0000000003FB4000-memory.dmp

Filesize
16KB

Download
memory/4476-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4476-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4476-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4476-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4476-17-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/4476-18-0x0000000004F70000-0x0000000004FC4000-memory.dmp

Filesize
336KB

Download
memory/4476-20-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/4476-19-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4476-21-0x0000000005020000-0x0000000005074000-memory.dmp

Filesize
336KB

Download
memory/4476-53-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-73-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-81-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-510-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4476-79-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-77-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-75-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-71-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-69-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-67-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-65-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-63-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-61-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-59-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-57-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-55-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-51-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-49-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-47-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-45-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-43-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-41-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-39-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-37-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-35-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-33-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-31-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-29-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-25-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-23-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-22-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-27-0x0000000005020000-0x000000000506D000-memory.dmp

Filesize
308KB

Download
memory/4476-1057-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/4476-1058-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4476-1060-0x0000000006050000-0x00000000060A0000-memory.dmp

Filesize
320KB

Download
memory/4476-1061-0x0000000006140000-0x00000000061D2000-memory.dmp

Filesize
584KB

Download
memory/4476-1062-0x00000000060B0000-0x00000000060BA000-memory.dmp

Filesize
40KB

Download
memory/4476-1063-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4476-1064-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/4476-1065-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download