agenttesla | dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890

Analysis

max time kernel
146s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
Size

1.2MB
MD5

d13e2b48430c76af1370c89131cee57e
SHA1

93b00858190f10f0946f2e9c34cc339ef9905800
SHA256

dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890
SHA512

57e1390a781f6f0aadb01f94107b339dabf66c1e7184e8ccef6b804b751ac099cc9148736459fe8e0d47c919ca078d7a336db75aac5bf8fe5d6cb6f577233ba9
SSDEEP

24576:gAHnh+eWsN3skA4RV1Hom2KXMmHaSMzXy9VaV/RAqWEbbwL5:Xh+ZkldoPK8YaSAi2zx4

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2796 set thread context of 3240	2796	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3240	RegSvcs.exe
3240	RegSvcs.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1052	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
4060	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
2796	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1052	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
1052	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
4060	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
4060	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
2796	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
2796	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1052	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
1052	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
4060	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
4060	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
2796	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
2796	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 2004	1052	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	80
PID 1052 wrote to memory of 2004	1052	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	80
PID 1052 wrote to memory of 2004	1052	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	80
PID 1052 wrote to memory of 4060	1052	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	81
PID 1052 wrote to memory of 4060	1052	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	81
PID 1052 wrote to memory of 4060	1052	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	81
PID 4060 wrote to memory of 2912	4060	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	82
PID 4060 wrote to memory of 2912	4060	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	82
PID 4060 wrote to memory of 2912	4060	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	82
PID 4060 wrote to memory of 2796	4060	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	83
PID 4060 wrote to memory of 2796	4060	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	83
PID 4060 wrote to memory of 2796	4060	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	83
PID 2796 wrote to memory of 3240	2796	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	84
PID 2796 wrote to memory of 3240	2796	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	84
PID 2796 wrote to memory of 3240	2796	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	84
PID 2796 wrote to memory of 3240	2796	dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe	84

C:\Users\Admin\AppData\Local\Temp\dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
"C:\Users\Admin\AppData\Local\Temp\dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe"
  2⤵
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
  "C:\Users\Admin\AppData\Local\Temp\dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe"
    3⤵
    PID:2912
- - C:\Users\Admin\AppData\Local\Temp\dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\dcd56e56cc9a8b7ee966055fe3c227b13f65652b923aefc9cdcde56461e5f890.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut4045.tmp

Filesize
261KB

MD5
2326417cea6ba8579886e9015154c929

SHA1
66e7cb6674193355aa5f9624aadf53da35e66397

SHA256
b4d360e5f64c772df4efaa19e2652f78e52585b68ebea830bd5dda708b586d94

SHA512
d6ea8bc419c22dc8cace200a78179af40ea29b496ca4a6a5fd5ee9aa6dadcdd2768ef9f46f1fc162e9f2a2fed9f9eac010ca494df15ba20dd2d7c2ac33357a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut4547.tmp

Filesize
9KB

MD5
8ac04cd6d2f61fc8783db291a39c134b

SHA1
398c64f7a5952ff8e87f9fb488b9f4dd45643926

SHA256
3ec14b980dff7c211ac191d3a9da1306803583cfc7fe7ccd6518348c8cc1c6ea

SHA512
f48aa8d47f306102b8f0444f3e3ac0923ed2521db97809d2e514b78dc9495cd27683aa435bc9d87b111270ac46267f8c8699f28060b960f37e42145926bfafe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\immortaliser

Filesize
28KB

MD5
7304794291d458f346db2206f9f8e45f

SHA1
3e897520738862e274a950430df1fc7fa5796c62

SHA256
616b188b7bc01f4a13fc235726c1d8d71b74c548d59a0f562f7dda1757934c79

SHA512
49e3705cefa450dfedc90f42beacf23a114d9a9e68134d48a9f735a7bf285ed5da9df90d909a58211e3c05f55dd12d710affca353c56ef2cf97926346f757c53

Download Submit
memory/1052-12-0x0000000001920000-0x0000000001924000-memory.dmp

Filesize
16KB

Download
memory/3240-79-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-73-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-43-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3240-44-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3240-45-0x0000000005650000-0x00000000056A4000-memory.dmp

Filesize
336KB

Download
memory/3240-46-0x0000000005DB0000-0x0000000006354000-memory.dmp

Filesize
5.6MB

Download
memory/3240-47-0x00000000056E0000-0x0000000005732000-memory.dmp

Filesize
328KB

Download
memory/3240-81-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-85-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-107-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-105-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-103-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-101-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-97-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-95-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-93-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-89-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-75-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-83-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-41-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3240-42-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3240-77-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-87-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-71-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-69-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-67-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-65-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-63-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-61-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-57-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-55-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-53-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-99-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-91-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-59-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-51-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-49-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-48-0x00000000056E0000-0x000000000572D000-memory.dmp

Filesize
308KB

Download
memory/3240-1080-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/3240-1081-0x0000000006DB0000-0x0000000006E00000-memory.dmp

Filesize
320KB

Download
memory/3240-1082-0x0000000006EA0000-0x0000000006F32000-memory.dmp

Filesize
584KB

Download
memory/3240-1083-0x0000000006D80000-0x0000000006D8A000-memory.dmp

Filesize
40KB

Download
memory/3240-1084-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download