agenttesla | 1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13/06/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe
Size

592KB
MD5

57bb9e8fb604e1ce4e1a6f9b66cadde7
SHA1

014f4dba778f1e35e174aaf901898513d878589d
SHA256

1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905
SHA512

9967c4f3e9a475e38f6c213c300b8724d20925b803fcbf98e353c2c3afec2b2d166f1aa661c6149418d9875f256b752909de1850c227e06a35fd34ca42ff8ed8
SSDEEP

12288:OYV6MorX7qzuC3QHO9FQVHPF51jgcHTE/RPNMY7qxHdz84i0jO:tBXu9HGaVH4/rv7qxHdzHi

Score

10^/10

agenttesla keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.horeca-bucuresti.ro
Port:
21
Username:
[email protected]
Password:
H*TE9iL;x61m

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/400-0-0x00000000005C0000-0x0000000000715000-memory.dmp	upx
behavioral2/memory/400-14-0x00000000005C0000-0x0000000000715000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/400-0-0x00000000005C0000-0x0000000000715000-memory.dmp	autoit_exe
behavioral2/memory/400-14-0x00000000005C0000-0x0000000000715000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 400 set thread context of 2644	400	1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2644	RegSvcs.exe
2644	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
400	1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	RegSvcs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
400	1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe
400	1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
400	1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe
400	1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2644	400	1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe	92
PID 400 wrote to memory of 2644	400	1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe	92
PID 400 wrote to memory of 2644	400	1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe	92
PID 400 wrote to memory of 2644	400	1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe	92

C:\Users\Admin\AppData\Local\Temp\1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe
"C:\Users\Admin\AppData\Local\Temp\1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\1ff6ac0b734c37004c50b8ceb4c601d8a4d32d4ceb180ed931355d34f178f905.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8
1⤵
PID:2808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/400-14-0x00000000005C0000-0x0000000000715000-memory.dmp

Filesize
1.3MB

Download
memory/400-11-0x0000000003930000-0x0000000003934000-memory.dmp

Filesize
16KB

Download
memory/400-0-0x00000000005C0000-0x0000000000715000-memory.dmp

Filesize
1.3MB

Download
memory/2644-17-0x0000000005160000-0x00000000051C6000-memory.dmp

Filesize
408KB

Download
memory/2644-15-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/2644-16-0x00000000057B0000-0x0000000005D54000-memory.dmp

Filesize
5.6MB

Download
memory/2644-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2644-18-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/2644-19-0x0000000006560000-0x00000000065B0000-memory.dmp

Filesize
320KB

Download
memory/2644-20-0x0000000006650000-0x00000000066E2000-memory.dmp

Filesize
584KB

Download
memory/2644-21-0x00000000065E0000-0x00000000065EA000-memory.dmp

Filesize
40KB

Download
memory/2644-22-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/2644-23-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download