agenttesla | 2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f.exe
Size

1.1MB
MD5

ffb088c4c220cbadd1f3f72296221be9
SHA1

bf4f7b96eb46eaf37bf267828b0c60e35d2faa07
SHA256

2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f
SHA512

27e50ea45f48260db56c6df40af3e6965e97d64f446c0fe39ab60bd46550e31b11dc0ad4aad5296a98d7f6622217cc387819dc835f02504f9721b8eba43adcfe
SSDEEP

24576:pAHnh+eWsN3skA4RV1Hom2KXcmtcRHLRIqAUBt8Va8HGm:wh+ZkldoPKsacRrOqA7A8

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.ozkahil.com
Port:
587
Username:
[email protected]
Password:
1122334455

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
2948	name.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	api.ipify.org
26	api.ipify.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0002000000022f1f-15.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2948 set thread context of 2712	2948	name.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2712	RegSvcs.exe
2712	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2948	name.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1120	2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f.exe
1120	2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f.exe
2948	name.exe
2948	name.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1120	2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f.exe
1120	2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f.exe
2948	name.exe
2948	name.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2712	RegSvcs.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2948	1120	2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f.exe	85
PID 1120 wrote to memory of 2948	1120	2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f.exe	85
PID 1120 wrote to memory of 2948	1120	2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f.exe	85
PID 2948 wrote to memory of 2712	2948	name.exe	86
PID 2948 wrote to memory of 2712	2948	name.exe	86
PID 2948 wrote to memory of 2712	2948	name.exe	86
PID 2948 wrote to memory of 2712	2948	name.exe	86

C:\Users\Admin\AppData\Local\Temp\2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f.exe
"C:\Users\Admin\AppData\Local\Temp\2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut35D5.tmp

Filesize
265KB

MD5
78b377597bd2d003cdb3cbe8167fe2a2

SHA1
e2df19c6f8300fcb60b7a1818afe8a4f8e6fc506

SHA256
e02e914e8833df25b5cb081d64b297a945b692fd11ab1bd0db36a3dcd3f9e148

SHA512
cf1e41d07167476a4693f48a5c11f52565d766f02e4360ad3b7c8da0b6e0d88209fa844258675433ab549c240e27fda11c09a643fd0b29cbb2da59931472462a

Download Submit
C:\Users\Admin\AppData\Local\Temp\croc

Filesize
28KB

MD5
c35d9a9df57cc23cda5ca14f161567cb

SHA1
52e593c7be6ab75cbf8bf487fdaff5507df87d77

SHA256
f16ba8b42828b24fcca3898c0e9b0ef655d1d473171ec77cf5b9dc0d1670d282

SHA512
dd1b4f4ee5ed88c44be36959c10c8d067f9ff4b2a4ec5c0d836ef371f38975aa3ca1f316a03a1566c8930128faeb038ee027193918e55941ea97c304a081ad74

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.1MB

MD5
ffb088c4c220cbadd1f3f72296221be9

SHA1
bf4f7b96eb46eaf37bf267828b0c60e35d2faa07

SHA256
2360548efd0e104cbc31982ecc2b3203763272c2e92109c20f9632dac7eebe2f

SHA512
27e50ea45f48260db56c6df40af3e6965e97d64f446c0fe39ab60bd46550e31b11dc0ad4aad5296a98d7f6622217cc387819dc835f02504f9721b8eba43adcfe

Download Submit
memory/1120-12-0x0000000000AE0000-0x0000000000AE4000-memory.dmp

Filesize
16KB

Download
memory/2712-32-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2712-34-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2712-33-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2712-35-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2712-36-0x0000000073C2E000-0x0000000073C2F000-memory.dmp

Filesize
4KB

Download
memory/2712-37-0x0000000005280000-0x00000000052D6000-memory.dmp

Filesize
344KB

Download
memory/2712-38-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download
memory/2712-39-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/2712-40-0x0000000005360000-0x00000000053B4000-memory.dmp

Filesize
336KB

Download
memory/2712-94-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-100-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-98-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-96-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-92-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-90-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-88-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-86-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-84-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-82-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-80-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-76-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-74-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-72-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-70-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-68-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-66-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-62-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-60-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-58-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-56-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-54-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-52-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-50-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-48-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-46-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-44-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-42-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-41-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-78-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-64-0x0000000005360000-0x00000000053AF000-memory.dmp

Filesize
316KB

Download
memory/2712-1139-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/2712-1140-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download
memory/2712-1141-0x00000000069F0000-0x0000000006A40000-memory.dmp

Filesize
320KB

Download
memory/2712-1142-0x0000000006AE0000-0x0000000006B7C000-memory.dmp

Filesize
624KB

Download
memory/2712-1143-0x0000000006C20000-0x0000000006CB2000-memory.dmp

Filesize
584KB

Download
memory/2712-1144-0x0000000006BA0000-0x0000000006BAA000-memory.dmp

Filesize
40KB

Download
memory/2712-1145-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2712-1146-0x0000000073C2E000-0x0000000073C2F000-memory.dmp

Filesize
4KB

Download
memory/2712-1147-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download