agenttesla | bd1bd32d94b3c1023ca110c3ff7284246f2a1f0f90b79ed85f3e3d8cbef82212

Analysis

max time kernel
105s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0002344.doc.exe
Size

1.1MB
MD5

e7aa7465c6a40699506a8dc6c2d9a96a
SHA1

2cc7a0ba6019863e9019cd675fd873adedb021b8
SHA256

8c2c8ec6e56fe9b72549521499758dd53631815fddbd7aac1698c0098b8d4eae
SHA512

5cf673d4666b052a17f759f127ebaae38e819e3f072aa86da82844b9f96654cd665813862eeacdf3b57ec357f0db0a973bcbf04578f9c512a6f92f39ebbb04d3
SSDEEP

24576:lAHnh+eWsN3skA4RV1Hom2KXMmHaFc7RZqdwPri3rbLSkG5:Uh+ZkldoPK8YaFc7idC+7beJ

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	name.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	api.ipify.org
20	api.ipify.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000800000002350d-15.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 4836	2264	name.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4836	RegSvcs.exe
4836	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2264	name.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4836	RegSvcs.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 2264	4424	0002344.doc.exe	86
PID 4424 wrote to memory of 2264	4424	0002344.doc.exe	86
PID 4424 wrote to memory of 2264	4424	0002344.doc.exe	86
PID 2264 wrote to memory of 4836	2264	name.exe	87
PID 2264 wrote to memory of 4836	2264	name.exe	87
PID 2264 wrote to memory of 4836	2264	name.exe	87
PID 2264 wrote to memory of 4836	2264	name.exe	87

C:\Users\Admin\AppData\Local\Temp\0002344.doc.exe
"C:\Users\Admin\AppData\Local\Temp\0002344.doc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\0002344.doc.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\0002344.doc.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autACBB.tmp

Filesize
262KB

MD5
0290f795bb2b11a638bc6209f2c4a9f2

SHA1
825f4c7ce5d82f80b624931407610d6b091d0720

SHA256
6fe5ec0a8c49347a58acc9843afb553f457799913c747cfe60a36c4e66a9ff54

SHA512
9458f28949aba526e3301cad787ef95749dc213f08a8d67de8dc502772d28990e64da794d1516bc92bba36b8e84aaebf1be4e619b576312def86a45db7e1ae72

Download Submit
C:\Users\Admin\AppData\Local\Temp\colliquefaction

Filesize
28KB

MD5
723bcff3c5ee310926bdc428d2041e24

SHA1
7e8ac468edaed14f7b9c47f6b87e112b886a413c

SHA256
bc6a2552759f3b54c7590e3cb1395a62c5fc41a274968543de7d2c3ba041dd8f

SHA512
a6a33311cd81f7594996686cf14952b1080453020ed44a538c7fea9356610f31d557174252d5004e3a19f4a83d83a1e89455995e713cf20dc4bd22c7b1497c0b

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
1.1MB

MD5
e7aa7465c6a40699506a8dc6c2d9a96a

SHA1
2cc7a0ba6019863e9019cd675fd873adedb021b8

SHA256
8c2c8ec6e56fe9b72549521499758dd53631815fddbd7aac1698c0098b8d4eae

SHA512
5cf673d4666b052a17f759f127ebaae38e819e3f072aa86da82844b9f96654cd665813862eeacdf3b57ec357f0db0a973bcbf04578f9c512a6f92f39ebbb04d3

Download Submit
memory/4424-12-0x0000000002320000-0x0000000002324000-memory.dmp

Filesize
16KB

Download
memory/4836-32-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4836-34-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4836-35-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4836-33-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4836-36-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/4836-37-0x0000000004A90000-0x0000000004AE4000-memory.dmp

Filesize
336KB

Download
memory/4836-39-0x00000000050D0000-0x0000000005674000-memory.dmp

Filesize
5.6MB

Download
memory/4836-38-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-40-0x0000000004B60000-0x0000000004BB2000-memory.dmp

Filesize
328KB

Download
memory/4836-41-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-101-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-99-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-97-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-95-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-93-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-91-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-89-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-87-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-83-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-82-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-79-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-77-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-76-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-73-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-1078-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download
memory/4836-71-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-69-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-67-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-65-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-63-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-59-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-58-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-55-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-53-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-51-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-49-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-47-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-45-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-43-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-85-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-61-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-42-0x0000000004B60000-0x0000000004BAD000-memory.dmp

Filesize
308KB

Download
memory/4836-1079-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/4836-1080-0x00000000062F0000-0x0000000006340000-memory.dmp

Filesize
320KB

Download
memory/4836-1081-0x00000000063E0000-0x0000000006472000-memory.dmp

Filesize
584KB

Download
memory/4836-1082-0x00000000063D0000-0x00000000063DA000-memory.dmp

Filesize
40KB

Download
memory/4836-1083-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4836-1084-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/4836-1085-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download