agenttesla | f499a10cc0b407da6505c4b29aca2af7b058d3a882a23f7f935a7be3889811db

Analysis

max time kernel
95s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 17:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RC2Bootstrapper.exe
Size

154KB
MD5

baae212c86392bee9742d0bcddbe4f38
SHA1

7d65c52ff09fbaa2183b6cf00f5591575ef623a9
SHA256

7e155e4c91505705da62df4af04950d7461c1c2b1ce85137d845cfdc8cc10435
SHA512

b82826996a7ff383eeb8615df2f6ef2c3544e0fbc9dad6fa411bdeadeae17749414bc60201db57ba63ac1f183b16e59ab6dca4a4934373d20d40837f639e673c
SSDEEP

3072:x7LW6Pr46prwG2k5GlI1JWE9QVsxyvJyn4NTfQf1VZlfWhrn:xXWJ5kICW3Jyn4if1VZNi

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000c0000000233ad-17.dat	family_agenttesla
behavioral4/memory/3732-20-0x00000000061E0000-0x00000000063F2000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

pid	Process
3732	RC2.exe

Loads dropped DLL 2 IoCs

pid	Process
3732	RC2.exe
3732	RC2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	RC2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	RC2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 3732	3956	RC2Bootstrapper.exe	87
PID 3956 wrote to memory of 3732	3956	RC2Bootstrapper.exe	87
PID 3956 wrote to memory of 3732	3956	RC2Bootstrapper.exe	87

C:\Users\Admin\AppData\Local\Temp\RC2Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\RC2Bootstrapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\RC2\RC2.exe
  "RC2\RC2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates system info in registry
  PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RC2\Guna.UI2.dll

Filesize
2.1MB

MD5
c97f23b52087cfa97985f784ea83498f

SHA1
d364618bec9cd6f8f5d4c24d3cc0f4c1a8e06b89

SHA256
e658e8a5616245dbe655e194b59f1bb704aaeafbd0925d6eebbe70555a638cdd

SHA512
ecfa83596f99afde9758d1142ff8b510a090cba6f42ba6fda8ca5e0520b658943ad85829a07bf17411e26e58432b74f05356f7eaeb3949a8834faa5de1a4f512

Download Submit
C:\Users\Admin\AppData\Local\Temp\RC2\RC2.exe

Filesize
11KB

MD5
c63d4d9c2cab728a88f9c675ad7ac879

SHA1
42c84de57a3e9fc1ab41f02953b8c81f3a7a3333

SHA256
b2668c676ecd2acf39d68486ec9d3c44955a388823b6d7e8f052066945078e7f

SHA512
d40552e2e4ec9b0fe92c9e3f643430e473b00a38acb115c7dc7b4deb0d91016a0002d2676c7a0a9722cc3645ec97ed5f782bfe4d36f74b31a06508047d25c196

Download Submit
memory/3732-11-0x00000000752DE000-0x00000000752DF000-memory.dmp

Filesize
4KB

Download
memory/3732-12-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/3732-13-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/3732-14-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/3732-16-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3732-15-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/3732-20-0x00000000061E0000-0x00000000063F2000-memory.dmp

Filesize
2.1MB

Download
memory/3732-21-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3732-22-0x00000000752DE000-0x00000000752DF000-memory.dmp

Filesize
4KB

Download
memory/3732-23-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download