agenttesla | c7b130f5b5a0c5d2fa4d202143d40393eccd2bcf563c7496a51ee267dd50bc16

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
19-06-2024 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe
Size

1.1MB
MD5

ec066ae04c36cf907aafa4448b614467
SHA1

b53d01c464f61e4654286e8650bb171be14902cf
SHA256

3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb
SHA512

b30f55db38a1c4297c50d3d7e87748ee7f5d203a002d58a61d5770394bc39a7c1b46b50fa094282eb21330830ea7fa523e3eb5c0ac7f1229ded244c8a3e4529f
SSDEEP

24576:gqDEvCTbMWu7rQYlBQcBiT6rprG8ap3H+1PNrT:gTvC/MTQYxsWR7aZe1PNr

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.jaszredony.hu
Port:
587
Username:
[email protected]
Password:
jRedony77
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe
Executes dropped EXE 1 IoCs

Processes:

name.exe

pid process

2124 name.exe
Loads dropped DLL 1 IoCs

Processes:

3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe

pid process

2188 3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

pid	process
2124	name.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe"	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\directory\name.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

name.exe

description pid process target process

PID 2124 set thread context of 2764 2124 name.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2764 RegSvcs.exe
2764 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

name.exe

pid process

2124 name.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2764 RegSvcs.exe

description	pid	process	target process
PID 2124 set thread context of 2764	2124	name.exe	RegSvcs.exe

pid	process
2764	RegSvcs.exe
2764	RegSvcs.exe

pid	process
2124	name.exe

description	pid	process
Token: SeDebugPrivilege	2764	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exename.exe

pid	process
2188	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe
2188	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe
2124	name.exe
2124	name.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exename.exe

pid	process
2188	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe
2188	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe
2124	name.exe
2124	name.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exename.exe

description	pid	process	target process
PID 2188 wrote to memory of 2124	2188	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe	name.exe
PID 2188 wrote to memory of 2124	2188	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe	name.exe
PID 2188 wrote to memory of 2124	2188	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe	name.exe
PID 2188 wrote to memory of 2124	2188	3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe	name.exe
PID 2124 wrote to memory of 2764	2124	name.exe	RegSvcs.exe
PID 2124 wrote to memory of 2764	2124	name.exe	RegSvcs.exe
PID 2124 wrote to memory of 2764	2124	name.exe	RegSvcs.exe
PID 2124 wrote to memory of 2764	2124	name.exe	RegSvcs.exe
PID 2124 wrote to memory of 2764	2124	name.exe	RegSvcs.exe
PID 2124 wrote to memory of 2764	2124	name.exe	RegSvcs.exe
PID 2124 wrote to memory of 2764	2124	name.exe	RegSvcs.exe
PID 2124 wrote to memory of 2764	2124	name.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe
"C:\Users\Admin\AppData\Local\Temp\3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\antiprimer
Filesize
239KB

MD5
d1f3325ad62eaba5f91f33006ec709cb

SHA1
c0f7fa0ebfc408db519423f37fdd46b298cff6c7

SHA256
448bd2d99900a089d607f729c5eecf36f60e475929cb12e2262dfd5cf50bac0d

SHA512
06f05c8e95b2b3728755417aa2b63c7d9fdfbbdaf0b5f610a10c3ac97419f4941d26b1b9eb1e78da174ba83dec34281c2a9dab6c55e7eab2715fc08df3941930

Download Submit
C:\Users\Admin\AppData\Local\Temp\demonetising
Filesize
28KB

MD5
2893d98764427db040762730399d7d54

SHA1
fed5a731656fc6de9f96ed35d108345043fa4fee

SHA256
8ac05f366cd7ec1a747987d808de1979e9e7a1eb11dd0a69e47fda8e7bfe5af9

SHA512
e4b9454f5aa2af9c7fca01fb467afad76579c7a13952c134547ac4b1f8e563566c62e9417ece91fa4d2758c10a414accade5ed446298374bfa53ee283778e1b6

Download Submit
\Users\Admin\AppData\Local\directory\name.exe
Filesize
1.1MB

MD5
ec066ae04c36cf907aafa4448b614467

SHA1
b53d01c464f61e4654286e8650bb171be14902cf

SHA256
3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb

SHA512
b30f55db38a1c4297c50d3d7e87748ee7f5d203a002d58a61d5770394bc39a7c1b46b50fa094282eb21330830ea7fa523e3eb5c0ac7f1229ded244c8a3e4529f

Download Submit
memory/2188-10-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2764-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2764-33-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2764-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2764-35-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/2764-36-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download
memory/2764-38-0x00000000743BE000-0x00000000743BF000-memory.dmp

Filesize
4KB

Download
memory/2764-39-0x00000000743B0000-0x0000000074A9E000-memory.dmp

Filesize
6.9MB

Download