agenttesla | 57f487f0d8eddd22ea6c42f697c612d3969e8cba20925cb72a1b8568b67b3003

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrystalUPDATED.rar
Size

11.5MB
MD5

c4c793cef987e26464a0e2175bad3a4d
SHA1

ea9951d2d76a9435f13a5d5032ba6abf6c4d10da
SHA256

57f487f0d8eddd22ea6c42f697c612d3969e8cba20925cb72a1b8568b67b3003
SHA512

23ab84985bc9fb40655f6fb0ecb7eb48f133be4c4be83ccb52fff35225de47aadb6a394a027cfc7ec370e5c9a234f38e04e2c246443d161e40405719381174f6
SSDEEP

196608:ozhyrqZFHiXs4opYKvXUnIaR7tDzZq2cZSCfPwMUlAc4xN/jnAUN9AxIfg+HM+aX:KIrqHj4opZvYIaRpVq+Cn72AjN7nAUvO

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral2/memory/4660-2166-0x000000000B740000-0x000000000B952000-memory.dmp	family_agenttesla
behavioral2/files/0x000700000002354a-2165.dat	family_agenttesla

Executes dropped EXE 1 IoCs

pid	Process
4660	Crystal.exe

Loads dropped DLL 9 IoCs

pid	Process
4660	Crystal.exe
4660	Crystal.exe
4660	Crystal.exe
4660	Crystal.exe
4660	Crystal.exe
4660	Crystal.exe
4660	Crystal.exe
4660	Crystal.exe
4660	Crystal.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Crystal.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Crystal.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Crystal.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4660	Crystal.exe
4660	Crystal.exe
4660	Crystal.exe
4660	Crystal.exe
4660	Crystal.exe
4660	Crystal.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	1456	7zG.exe
Token: 35	1456	7zG.exe
Token: SeSecurityPrivilege	1456	7zG.exe
Token: SeSecurityPrivilege	1456	7zG.exe
Token: SeDebugPrivilege	4660	Crystal.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1456	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3608	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED.rar
1⤵
- Modifies registry class
PID:4952

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4316

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\" -spe -an -ai#7zMap29981:108:7zEvent14986
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1456

C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Crystal.exe
"C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Crystal.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Crystal.exe

Filesize
144KB

MD5
9e353bbaf855fd44edba02d747b6e9f4

SHA1
289146c6c89604690048b018638e147e8a53cbed

SHA256
2d0efe812711be404787e0c6832284bbacb0e16e35d241cb29d88f44e8bc336e

SHA512
13ebe39c7665b2d17d83f2df9d4241bcc2ddc7e086ab8b7b031ed56f8356611b92901f70e202d44e2d2d349e9c135202592dcc0ce3a45017576e0cde7d7760e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Crystal.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Crystal.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Crystal.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Crystal.exe.WebView2\EBWebView\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Crystal.exe.WebView2\EBWebView\GraphiteDawnCache\data_1

Filesize
264KB

MD5
963637bd6a2d4b357dbb10e10b716b34

SHA1
a48c30f13c0dbec3f93161eb2aaf29e89286cbb8

SHA256
52aaa4dad3c8bd7bcb3a5b58ba17c7d205e0dc93418d4de671cd539fe5b84006

SHA512
ae7a627c16fac857e594966697f83bcd4892799cbbe872fff129bbf17a6fee510c9965266e6946e44848f248bab645e2dc80104077092e90b8c938d49cfeac46

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Crystal.exe.WebView2\EBWebView\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Crystal.exe.WebView2\EBWebView\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\CrystalExecutor.exe.WebView2\EBWebView\Default\Network\Cookies

Filesize
20KB

MD5
04d4c386aaf03e6dca3ac87334f03d3f

SHA1
74627631ce3bd2ba43a12aac39f232da662a32c5

SHA256
c130cf082fdce58c9055dba5775490ad8e41055ead5edb0b1e411330144c971d

SHA512
01bce1bbdf00825e19c23559ec41a0236b059cec2e891cf4729288b6275aaff62f442b4556c869bfbe17a91475f22dc98522381b2e4f3bef6d1611f7f9f9bc1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Guna.UI2.dll

Filesize
2.1MB

MD5
c97f23b52087cfa97985f784ea83498f

SHA1
d364618bec9cd6f8f5d4c24d3cc0f4c1a8e06b89

SHA256
e658e8a5616245dbe655e194b59f1bb704aaeafbd0925d6eebbe70555a638cdd

SHA512
ecfa83596f99afde9758d1142ff8b510a090cba6f42ba6fda8ca5e0520b658943ad85829a07bf17411e26e58432b74f05356f7eaeb3949a8834faa5de1a4f512

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
2ab84dc690059b2bd34d2f00561d6af4

SHA1
49b665b40a5ae995edfec80caf7e409c9795e9dd

SHA256
a1e096c6842b9f443679f47e321379d15e1f93c77fd0b6d32b9eb0e93e25ac89

SHA512
80d1c0fbe937655f1e78549c4bdaaa7d8aa55a74945c16f3663fe270c0a715eb7f89dc66490a0164f33444aece768a41e894bdcaa50ce2f88a6dab77b9809afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Microsoft.Web.WebView2.WinForms.dll

Filesize
37KB

MD5
ca1529f9891c243b11934d156dc35bce

SHA1
fa82bd19c2835443bc9ea55644017b5d68ff7a4b

SHA256
b12d2c15e93a0fc29a731bec998e7ddf073b3ae2454f3afdd9934bbe6a223d4a

SHA512
95deee9fbca5bcff0d534f187e003780ff4358a24b5407701a46d5c8109f6d31e7a637b204a30ae5ed6d63caa42a5628a9aab693cbbf892cea60dae05a45c5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc

Filesize
139B

MD5
d0104f79f0b4f03bbcd3b287fa04cf8c

SHA1
54f9d7adf8943cb07f821435bb269eb4ba40ccc2

SHA256
997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a

SHA512
daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Monaco\fileaccess\node_modules\hasown\.eslintrc

Filesize
43B

MD5
c28b0fe9be6e306cc2ad30fe00e3db10

SHA1
af79c81bd61c9a937fca18425dd84cdf8317c8b9

SHA256
0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641

SHA512
e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Monaco\fileaccess\node_modules\hasown\.nycrc

Filesize
216B

MD5
c2ab942102236f987048d0d84d73d960

SHA1
95462172699187ac02eaec6074024b26e6d71cff

SHA256
948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a

SHA512
e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\Monaco\fileaccess\node_modules\vary\LICENSE

Filesize
1KB

MD5
13babc4f212ce635d68da544339c962b

SHA1
4881ad2ec8eb2470a7049421047c6d076f48f1de

SHA256
bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400

SHA512
40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\SolaraAPI.dll

Filesize
11KB

MD5
a430b95b219c525e77cdb4b684e866e3

SHA1
935a4de89b05d54ca1688aadf7b48d2ccb6b0427

SHA256
8b0446d547abb698ba457789e4ddec67d618148298ea609a3d8b2815a6b6df9f

SHA512
0ea2677441169c77cccfcdd52276b9bc9672b1600908802c95be16feff8f475d21ba1add3a1f77b7754c22aec143fb2190a24022cec59654ffdd28420e43f160

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrystalUPDATED\Debug\runtimes\win-x86\native\WebView2Loader.dll

Filesize
113KB

MD5
df6b6e71cb65552cd9fb283b91ef9908

SHA1
e10f9cccaa4666f070db8209fb99f6fcaf9d9075

SHA256
256510c2872a3a96a8e0a7db0db6c6e7b31ebed34cd6b7c430712ca640c73842

SHA512
80561a65c7dc7dee4517240718d85ffa59782fb8c5be744862d041759db8fd818fefcdeff87a98f904ded0674b873e7f39b1e53d549aab96ff15a88cc85c93a0

Download Submit
memory/4660-2151-0x0000000002C60000-0x0000000002C76000-memory.dmp

Filesize
88KB

Download
memory/4660-2161-0x000000000ADD0000-0x000000000AE60000-memory.dmp

Filesize
576KB

Download
memory/4660-2157-0x0000000005550000-0x000000000555E000-memory.dmp

Filesize
56KB

Download
memory/4660-2166-0x000000000B740000-0x000000000B952000-memory.dmp

Filesize
2.1MB

Download
memory/4660-2153-0x000000000A960000-0x000000000A9F2000-memory.dmp

Filesize
584KB

Download
memory/4660-2162-0x000000000AD60000-0x000000000AD6A000-memory.dmp

Filesize
40KB

Download
memory/4660-2152-0x000000000AF70000-0x000000000B514000-memory.dmp

Filesize
5.6MB

Download
memory/4660-2170-0x000000000E060000-0x000000000E06A000-memory.dmp

Filesize
40KB

Download
memory/4660-2171-0x000000000E170000-0x000000000E17A000-memory.dmp

Filesize
40KB

Download
memory/4660-2150-0x0000000000910000-0x000000000093C000-memory.dmp

Filesize
176KB

Download