agenttesla | 1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe
Size

832KB
MD5

853b3bdb5b229602674916aba4acf397
SHA1

ff67bdeb85a9bd552818c092bb7187547a420338
SHA256

1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb
SHA512

3f3ba08e66cad50a96c58d11bcafb9d9647cdb12536ab58ebd962e05d05c8119f862f0550724947714e4d54828d905d02d4ded21ece9536d7f084b089d63be70
SSDEEP

12288:SYV6MorX7qzuC3QHO9FQVHPF51jgcP7ZF968JT4/UXuWJeYAijFd6Ll:hBXu9HGaVHTZq/UdJ9z6Ll

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot7288956701:AAGI8Yq8sI6l1S7vYfYKq0jwMldTgmIxjiE/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1812-0-0x0000000000B30000-0x0000000000CF1000-memory.dmp	upx
behavioral1/memory/2608-16-0x0000000000B30000-0x0000000000CF1000-memory.dmp	upx
behavioral1/memory/1812-15-0x0000000000B30000-0x0000000000CF1000-memory.dmp	upx
behavioral1/memory/2608-34-0x0000000000B30000-0x0000000000CF1000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winfile = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winfile\\winfile.exe"	RegSvcs.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
6	ip-api.com
4	api.ipify.org

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1812-15-0x0000000000B30000-0x0000000000CF1000-memory.dmp	autoit_exe
behavioral1/memory/2608-34-0x0000000000B30000-0x0000000000CF1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2608 set thread context of 2588	2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2588	RegSvcs.exe
2588	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe
2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe
1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe
2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe
2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe
1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe
2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe
2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2588	RegSvcs.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2592	1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	28
PID 1812 wrote to memory of 2592	1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	28
PID 1812 wrote to memory of 2592	1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	28
PID 1812 wrote to memory of 2592	1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	28
PID 1812 wrote to memory of 2592	1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	28
PID 1812 wrote to memory of 2592	1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	28
PID 1812 wrote to memory of 2592	1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	28
PID 1812 wrote to memory of 2608	1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	29
PID 1812 wrote to memory of 2608	1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	29
PID 1812 wrote to memory of 2608	1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	29
PID 1812 wrote to memory of 2608	1812	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	29
PID 2608 wrote to memory of 2588	2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	30
PID 2608 wrote to memory of 2588	2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	30
PID 2608 wrote to memory of 2588	2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	30
PID 2608 wrote to memory of 2588	2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	30
PID 2608 wrote to memory of 2588	2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	30
PID 2608 wrote to memory of 2588	2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	30
PID 2608 wrote to memory of 2588	2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	30
PID 2608 wrote to memory of 2588	2608	1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe	30

C:\Users\Admin\AppData\Local\Temp\1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe
"C:\Users\Admin\AppData\Local\Temp\1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe"
  2⤵
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe
  "C:\Users\Admin\AppData\Local\Temp\1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\1fc8f86a0d5763a5c105ca8fc821ae693d36be2d5aa39f676a1c37fdfe1c2ccb.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nonagglutinant

Filesize
28KB

MD5
2408bf71c2b138f77197feb839411a42

SHA1
60397d0ccfa79a2ad4ec53b10a7e802dbad9bc98

SHA256
6f8abe15f44a9c84e41d9894ae95e9c0903837340bea20408f88c644cba9e7d8

SHA512
9c75e550decccca4184978f598a337fe5a4d478879efb18d1eb2e94f0a4addc9b9cabc5e4277186cc621256fcb3bcf29f6524e095f3c84da03ce53cd218688c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\unhelpable

Filesize
266KB

MD5
71fdd037153093db407d101fdce4c442

SHA1
bb26b1f72f384c20627aa0f6a89ddb16007573e4

SHA256
e08a56613c61347d83e9ca11bbe81ce0ecb95e51691df522db4b222e9e88c67d

SHA512
8e17511be9f6d64340276ad1b2a550fd81e45236c1c1bc7b6c3af8450203ca971851765768210ea03a532427b2ff8d9a5d5ed728c8c7283d5c35c4de54710906

Download Submit
memory/1812-12-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1812-0-0x0000000000B30000-0x0000000000CF1000-memory.dmp

Filesize
1.8MB

Download
memory/1812-15-0x0000000000B30000-0x0000000000CF1000-memory.dmp

Filesize
1.8MB

Download
memory/1812-14-0x0000000002B40000-0x0000000002D01000-memory.dmp

Filesize
1.8MB

Download
memory/2588-86-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-80-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-32-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2588-35-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2588-1157-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/2588-36-0x00000000731CE000-0x00000000731CF000-memory.dmp

Filesize
4KB

Download
memory/2588-37-0x0000000001FF0000-0x0000000002048000-memory.dmp

Filesize
352KB

Download
memory/2588-38-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/2588-39-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/2588-40-0x0000000002130000-0x0000000002186000-memory.dmp

Filesize
344KB

Download
memory/2588-64-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-98-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-96-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-94-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-1153-0x00000000731C0000-0x00000000738AE000-memory.dmp

Filesize
6.9MB

Download
memory/2588-92-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-90-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-88-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-1156-0x00000000731CE000-0x00000000731CF000-memory.dmp

Filesize
4KB

Download
memory/2588-84-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-82-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-30-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2588-78-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-76-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-74-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-72-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-70-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-66-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-62-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-60-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-58-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-56-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-54-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-52-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-50-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-48-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-46-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-44-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-42-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-68-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2588-41-0x0000000002130000-0x0000000002180000-memory.dmp

Filesize
320KB

Download
memory/2608-16-0x0000000000B30000-0x0000000000CF1000-memory.dmp

Filesize
1.8MB

Download
memory/2608-34-0x0000000000B30000-0x0000000000CF1000-memory.dmp

Filesize
1.8MB

Download