agenttesla | c7b130f5b5a0c5d2fa4d202143d40393eccd2bcf563c7496a51ee267dd50bc16

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe
Size

1.1MB
MD5

153458c4d28fe80dbc951898df7348a0
SHA1

11bd2534f5e073d7de5560193ad582ebf1fbf19a
SHA256

7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791
SHA512

7ee79443e9fc623c98b30ab396169eaffb06aa046bc373889cf3de6279a1aea432489c98a764e340c72e27cf782668601807d8541343ae54b8d1bc0241f01318
SSDEEP

24576:zAHnh+eWsN3skA4RV1Hom2KXMmHas4Y4uqBp9fcOpbQ5:+h+ZkldoPK8Yas4nuqDDpK

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
^NpBYBQ0
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe
Executes dropped EXE 1 IoCs

Processes:

name.exe

pid process

2616 name.exe
Loads dropped DLL 1 IoCs

Processes:

7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe

pid process

2036 7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

pid	process
2616	name.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\mpTrle = "C:\\Users\\Admin\\AppData\\Roaming\\mpTrle\\mpTrle.exe"	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org

flow	ioc
4	api.ipify.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\name.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

name.exe

description pid process target process

PID 2616 set thread context of 2484 2616 name.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2484 RegSvcs.exe
2484 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

name.exe

pid process

2616 name.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2484 RegSvcs.exe

description	pid	process	target process
PID 2616 set thread context of 2484	2616	name.exe	RegSvcs.exe

pid	process
2484	RegSvcs.exe
2484	RegSvcs.exe

pid	process
2616	name.exe

description	pid	process
Token: SeDebugPrivilege	2484	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exename.exe

pid	process
2036	7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe
2036	7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe
2616	name.exe
2616	name.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exename.exe

pid	process
2036	7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe
2036	7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe
2616	name.exe
2616	name.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exename.exe

description	pid	process	target process
PID 2036 wrote to memory of 2616	2036	7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe	name.exe
PID 2036 wrote to memory of 2616	2036	7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe	name.exe
PID 2036 wrote to memory of 2616	2036	7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe	name.exe
PID 2036 wrote to memory of 2616	2036	7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe	name.exe
PID 2616 wrote to memory of 2484	2616	name.exe	RegSvcs.exe
PID 2616 wrote to memory of 2484	2616	name.exe	RegSvcs.exe
PID 2616 wrote to memory of 2484	2616	name.exe	RegSvcs.exe
PID 2616 wrote to memory of 2484	2616	name.exe	RegSvcs.exe
PID 2616 wrote to memory of 2484	2616	name.exe	RegSvcs.exe
PID 2616 wrote to memory of 2484	2616	name.exe	RegSvcs.exe
PID 2616 wrote to memory of 2484	2616	name.exe	RegSvcs.exe
PID 2616 wrote to memory of 2484	2616	name.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe
"C:\Users\Admin\AppData\Local\Temp\7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\disimmure
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe
Filesize
1.1MB

MD5
153458c4d28fe80dbc951898df7348a0

SHA1
11bd2534f5e073d7de5560193ad582ebf1fbf19a

SHA256
7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791

SHA512
7ee79443e9fc623c98b30ab396169eaffb06aa046bc373889cf3de6279a1aea432489c98a764e340c72e27cf782668601807d8541343ae54b8d1bc0241f01318

Download Submit
memory/2036-10-0x0000000000160000-0x0000000000164000-memory.dmp

Filesize
16KB

Download
memory/2484-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2484-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2484-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2484-35-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/2484-36-0x00000000743C0000-0x0000000074AAE000-memory.dmp

Filesize
6.9MB

Download
memory/2484-38-0x00000000743CE000-0x00000000743CF000-memory.dmp

Filesize
4KB

Download
memory/2484-39-0x00000000743C0000-0x0000000074AAE000-memory.dmp

Filesize
6.9MB

Download