agenttesla | c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b

Analysis

max time kernel
135s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe
Size

695KB
MD5

2ad8181dcb3d4983f5f03e8ac5f8d2a2
SHA1

e2f3e332bda9aa7b794b68e134bffef93f8eaf44
SHA256

c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b
SHA512

2845247be4bb30ed6c4e98afa67d7d48ac067e7f472fb2db99b919880e011153b5d54be95e2d64b464a5c38715f19aac3fb942bb2d09179ccea34f0c8945d219
SSDEEP

12288:uYV6MorX7qzuC3QHO9FQVHPF51jgcEM9js/k/oRVJZVsirlvxom4Zs+:NBXu9HGaVHd9js/dV1nEs+

Score

10^/10

agenttesla keylogger spyware stealer trojan upx

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
364	name.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2536-0-0x0000000000530000-0x00000000006B9000-memory.dmp	upx
behavioral2/files/0x0002000000022afc-16.dat	upx
behavioral2/memory/2536-18-0x0000000000530000-0x00000000006B9000-memory.dmp	upx
behavioral2/memory/364-19-0x00000000000C0000-0x0000000000249000-memory.dmp	upx
behavioral2/memory/364-40-0x00000000000C0000-0x0000000000249000-memory.dmp	upx

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	api.ipify.org
24	api.ipify.org

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2536-18-0x0000000000530000-0x00000000006B9000-memory.dmp	autoit_exe
behavioral2/memory/364-19-0x00000000000C0000-0x0000000000249000-memory.dmp	autoit_exe
behavioral2/memory/364-40-0x00000000000C0000-0x0000000000249000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 364 set thread context of 1004	364	name.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1004	RegSvcs.exe
1004	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
364	name.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1004	RegSvcs.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 364	2536	c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe	88
PID 2536 wrote to memory of 364	2536	c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe	88
PID 2536 wrote to memory of 364	2536	c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe	88
PID 364 wrote to memory of 1004	364	name.exe	90
PID 364 wrote to memory of 1004	364	name.exe	90
PID 364 wrote to memory of 1004	364	name.exe	90
PID 364 wrote to memory of 1004	364	name.exe	90

C:\Users\Admin\AppData\Local\Temp\c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe
"C:\Users\Admin\AppData\Local\Temp\c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autD88D.tmp

Filesize
262KB

MD5
20e5c3cbfa296a9f5a51e653758b438a

SHA1
f662578e3ea0d36323c24663e908ea29858101a3

SHA256
75c8279b4b62516792570ade72af67bca3fe5333ed99ec508a9454723958ec0c

SHA512
e47e05df42c55048d05b821a0442bb4652597ebe6b7d26811585707f29b91f595bc397528683fc6684e781e336a2716f884fe5eef0752d122efddb90dc808e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\porcelainize

Filesize
28KB

MD5
56762e6d923e8858546f407aa0c6472e

SHA1
d91150c920d714fd8591f5a35967a5aa14fe15e0

SHA256
f566ed58f8e7438b7d2e8e08e4e62a989f8646efa37497fa46054cd125163a2a

SHA512
4d3d0a94f1c22ee34ce808b4051fc69c5ac25a20985ef78fe749c4ba7d5b872e1ee6ce4cf691bb93e198873a88310278dd7b5919b8aef098283b03db74767d55

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
695KB

MD5
2ad8181dcb3d4983f5f03e8ac5f8d2a2

SHA1
e2f3e332bda9aa7b794b68e134bffef93f8eaf44

SHA256
c94709dafba503c64eadc628c7497db95ed36f1e1296ef639c2c6be1154f323b

SHA512
2845247be4bb30ed6c4e98afa67d7d48ac067e7f472fb2db99b919880e011153b5d54be95e2d64b464a5c38715f19aac3fb942bb2d09179ccea34f0c8945d219

Download Submit
memory/364-40-0x00000000000C0000-0x0000000000249000-memory.dmp

Filesize
1.5MB

Download
memory/364-19-0x00000000000C0000-0x0000000000249000-memory.dmp

Filesize
1.5MB

Download
memory/1004-80-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-1085-0x0000000006D40000-0x0000000006D90000-memory.dmp

Filesize
320KB

Download
memory/1004-38-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1004-41-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1004-42-0x0000000073E3E000-0x0000000073E3F000-memory.dmp

Filesize
4KB

Download
memory/1004-43-0x0000000002DF0000-0x0000000002E44000-memory.dmp

Filesize
336KB

Download
memory/1004-45-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/1004-44-0x0000000073E30000-0x00000000745E0000-memory.dmp

Filesize
7.7MB

Download
memory/1004-46-0x0000000073E30000-0x00000000745E0000-memory.dmp

Filesize
7.7MB

Download
memory/1004-47-0x0000000005730000-0x0000000005782000-memory.dmp

Filesize
328KB

Download
memory/1004-48-0x0000000073E30000-0x00000000745E0000-memory.dmp

Filesize
7.7MB

Download
memory/1004-50-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-75-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-106-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-104-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-100-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-98-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-96-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-94-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-92-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-90-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-86-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-85-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-36-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1004-37-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1004-79-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-62-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-72-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-70-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-1083-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/1004-68-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-66-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-64-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-60-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-58-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-56-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-54-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-52-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-102-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-88-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-82-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-49-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-1084-0x0000000073E30000-0x00000000745E0000-memory.dmp

Filesize
7.7MB

Download
memory/1004-76-0x0000000005730000-0x000000000577D000-memory.dmp

Filesize
308KB

Download
memory/1004-1086-0x0000000006E30000-0x0000000006EC2000-memory.dmp

Filesize
584KB

Download
memory/1004-1087-0x0000000006E20000-0x0000000006E2A000-memory.dmp

Filesize
40KB

Download
memory/1004-1088-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1004-1089-0x0000000073E3E000-0x0000000073E3F000-memory.dmp

Filesize
4KB

Download
memory/1004-1090-0x0000000073E30000-0x00000000745E0000-memory.dmp

Filesize
7.7MB

Download
memory/2536-0-0x0000000000530000-0x00000000006B9000-memory.dmp

Filesize
1.5MB

Download
memory/2536-13-0x0000000002050000-0x0000000002054000-memory.dmp

Filesize
16KB

Download
memory/2536-18-0x0000000000530000-0x00000000006B9000-memory.dmp

Filesize
1.5MB

Download