agenttesla | c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/07/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe
Size

695KB
MD5

2ad8181dcb3d4983f5f03e8ac5f8d2a2
SHA1

e2f3e332bda9aa7b794b68e134bffef93f8eaf44
SHA256

c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b
SHA512

2845247be4bb30ed6c4e98afa67d7d48ac067e7f472fb2db99b919880e011153b5d54be95e2d64b464a5c38715f19aac3fb942bb2d09179ccea34f0c8945d219
SSDEEP

12288:uYV6MorX7qzuC3QHO9FQVHPF51jgcEM9js/k/oRVJZVsirlvxom4Zs+:NBXu9HGaVHd9js/dV1nEs+

Score

10^/10

agenttesla keylogger spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
380	name.exe

Loads dropped DLL 1 IoCs

pid	Process
2180	c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2180-0-0x0000000000BC0000-0x0000000000D49000-memory.dmp	upx
behavioral1/files/0x0007000000016d07-14.dat	upx
behavioral1/memory/2180-16-0x0000000002CF0000-0x0000000002E79000-memory.dmp	upx
behavioral1/memory/2180-20-0x0000000000BC0000-0x0000000000D49000-memory.dmp	upx
behavioral1/memory/380-22-0x00000000008A0000-0x0000000000A29000-memory.dmp	upx
behavioral1/memory/380-41-0x00000000008A0000-0x0000000000A29000-memory.dmp	upx

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2180-20-0x0000000000BC0000-0x0000000000D49000-memory.dmp	autoit_exe
behavioral1/memory/380-22-0x00000000008A0000-0x0000000000A29000-memory.dmp	autoit_exe
behavioral1/memory/380-41-0x00000000008A0000-0x0000000000A29000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 380 set thread context of 2828	380	name.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2828	RegSvcs.exe
2828	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
380	name.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2828	RegSvcs.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 380	2180	c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe	31
PID 2180 wrote to memory of 380	2180	c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe	31
PID 2180 wrote to memory of 380	2180	c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe	31
PID 2180 wrote to memory of 380	2180	c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe	31
PID 380 wrote to memory of 2828	380	name.exe	32
PID 380 wrote to memory of 2828	380	name.exe	32
PID 380 wrote to memory of 2828	380	name.exe	32
PID 380 wrote to memory of 2828	380	name.exe	32
PID 380 wrote to memory of 2828	380	name.exe	32
PID 380 wrote to memory of 2828	380	name.exe	32
PID 380 wrote to memory of 2828	380	name.exe	32
PID 380 wrote to memory of 2828	380	name.exe	32

C:\Users\Admin\AppData\Local\Temp\c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe
"C:\Users\Admin\AppData\Local\Temp\c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sancha

Filesize
262KB

MD5
20e5c3cbfa296a9f5a51e653758b438a

SHA1
f662578e3ea0d36323c24663e908ea29858101a3

SHA256
75c8279b4b62516792570ade72af67bca3fe5333ed99ec508a9454723958ec0c

SHA512
e47e05df42c55048d05b821a0442bb4652597ebe6b7d26811585707f29b91f595bc397528683fc6684e781e336a2716f884fe5eef0752d122efddb90dc808e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\porcelainize

Filesize
28KB

MD5
56762e6d923e8858546f407aa0c6472e

SHA1
d91150c920d714fd8591f5a35967a5aa14fe15e0

SHA256
f566ed58f8e7438b7d2e8e08e4e62a989f8646efa37497fa46054cd125163a2a

SHA512
4d3d0a94f1c22ee34ce808b4051fc69c5ac25a20985ef78fe749c4ba7d5b872e1ee6ce4cf691bb93e198873a88310278dd7b5919b8aef098283b03db74767d55

Download Submit
\Users\Admin\AppData\Local\directory\name.exe

Filesize
695KB

MD5
2ad8181dcb3d4983f5f03e8ac5f8d2a2

SHA1
e2f3e332bda9aa7b794b68e134bffef93f8eaf44

SHA256
c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b

SHA512
2845247be4bb30ed6c4e98afa67d7d48ac067e7f472fb2db99b919880e011153b5d54be95e2d64b464a5c38715f19aac3fb942bb2d09179ccea34f0c8945d219

Download Submit
memory/380-22-0x00000000008A0000-0x0000000000A29000-memory.dmp

Filesize
1.5MB

Download
memory/380-41-0x00000000008A0000-0x0000000000A29000-memory.dmp

Filesize
1.5MB

Download
memory/2180-0-0x0000000000BC0000-0x0000000000D49000-memory.dmp

Filesize
1.5MB

Download
memory/2180-12-0x0000000000110000-0x0000000000114000-memory.dmp

Filesize
16KB

Download
memory/2180-16-0x0000000002CF0000-0x0000000002E79000-memory.dmp

Filesize
1.5MB

Download
memory/2180-20-0x0000000000BC0000-0x0000000000D49000-memory.dmp

Filesize
1.5MB

Download
memory/2828-64-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-62-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-42-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2828-43-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/2828-44-0x00000000020E0000-0x0000000002134000-memory.dmp

Filesize
336KB

Download
memory/2828-45-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-48-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-47-0x00000000021D0000-0x0000000002222000-memory.dmp

Filesize
328KB

Download
memory/2828-46-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-80-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-74-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-52-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-68-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-88-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-50-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-37-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2828-60-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-49-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-54-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-56-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-58-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-40-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2828-66-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-72-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-84-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-106-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-104-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-102-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-100-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-98-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-96-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-94-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-92-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-90-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-86-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-82-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-78-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-76-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-70-0x00000000021D0000-0x000000000221D000-memory.dmp

Filesize
308KB

Download
memory/2828-1083-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-1084-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

Filesize
4KB

Download
memory/2828-1085-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download