agenttesla | 4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe
Size

1.3MB
MD5

3d265723ffa9ee20e76cd4eb2b628771
SHA1

206bc32e4bf59574ca23b85f8d88ebdafff07307
SHA256

4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f
SHA512

c71adf07df2eb29db2a3a172f7f2b6708d1727e2682b8605fe7a0ae64588e72e8a5f67321e2d45d8cd60fac95cd0b1177ca4121fdc91d77aad126c4d2a3d3612
SSDEEP

24576:rqDEvCTbMWu7rQYlBQcBiT6rprG8a4AppoT+kc78Imj+PJ:rTvC/MTQYxsWR7a4AfkfIS+P

Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Drops startup file 1 IoCs

Processes:

temp.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs temp.exe
Executes dropped EXE 2 IoCs

Processes:

temp.exetemp.exe

pid process

2340 temp.exe
2776 temp.exe
Loads dropped DLL 1 IoCs

Processes:

4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe

pid process

2288 4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\temp.vbs	temp.exe

pid	process
2340	temp.exe
2776	temp.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/2776-45-0x0000000000030000-0x0000000000189000-memory.dmp	autoit_exe
behavioral1/memory/2340-32-0x0000000000030000-0x0000000000189000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Local\directory\temp.exe	autoit_exe
behavioral1/memory/2340-29-0x0000000000030000-0x0000000000189000-memory.dmp	autoit_exe
behavioral1/memory/2776-50-0x0000000000030000-0x0000000000189000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

temp.exe

description pid process target process

PID 2776 set thread context of 2440 2776 temp.exe RegSvcs.exe

description	pid	process	target process
PID 2776 set thread context of 2440	2776	temp.exe	RegSvcs.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

temp.exetemp.exeRegSvcs.exe4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2440 RegSvcs.exe
2440 RegSvcs.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

temp.exetemp.exe

pid process

2340 temp.exe
2776 temp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2440 RegSvcs.exe

pid	process
2440	RegSvcs.exe
2440	RegSvcs.exe

pid	process
2340	temp.exe
2776	temp.exe

description	pid	process
Token: SeDebugPrivilege	2440	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exetemp.exetemp.exe

pid	process
2288	4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe
2288	4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe
2340	temp.exe
2340	temp.exe
2776	temp.exe
2776	temp.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exetemp.exetemp.exe

pid	process
2288	4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe
2288	4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe
2340	temp.exe
2340	temp.exe
2776	temp.exe
2776	temp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

2440 RegSvcs.exe

pid	process
2440	RegSvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exetemp.exetemp.exe

description	pid	process	target process
PID 2288 wrote to memory of 2340	2288	4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe	temp.exe
PID 2288 wrote to memory of 2340	2288	4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe	temp.exe
PID 2288 wrote to memory of 2340	2288	4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe	temp.exe
PID 2288 wrote to memory of 2340	2288	4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe	temp.exe
PID 2340 wrote to memory of 2768	2340	temp.exe	RegSvcs.exe
PID 2340 wrote to memory of 2768	2340	temp.exe	RegSvcs.exe
PID 2340 wrote to memory of 2768	2340	temp.exe	RegSvcs.exe
PID 2340 wrote to memory of 2768	2340	temp.exe	RegSvcs.exe
PID 2340 wrote to memory of 2768	2340	temp.exe	RegSvcs.exe
PID 2340 wrote to memory of 2768	2340	temp.exe	RegSvcs.exe
PID 2340 wrote to memory of 2768	2340	temp.exe	RegSvcs.exe
PID 2340 wrote to memory of 2776	2340	temp.exe	temp.exe
PID 2340 wrote to memory of 2776	2340	temp.exe	temp.exe
PID 2340 wrote to memory of 2776	2340	temp.exe	temp.exe
PID 2340 wrote to memory of 2776	2340	temp.exe	temp.exe
PID 2776 wrote to memory of 2440	2776	temp.exe	RegSvcs.exe
PID 2776 wrote to memory of 2440	2776	temp.exe	RegSvcs.exe
PID 2776 wrote to memory of 2440	2776	temp.exe	RegSvcs.exe
PID 2776 wrote to memory of 2440	2776	temp.exe	RegSvcs.exe
PID 2776 wrote to memory of 2440	2776	temp.exe	RegSvcs.exe
PID 2776 wrote to memory of 2440	2776	temp.exe	RegSvcs.exe
PID 2776 wrote to memory of 2440	2776	temp.exe	RegSvcs.exe
PID 2776 wrote to memory of 2440	2776	temp.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe
"C:\Users\Admin\AppData\Local\Temp\4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\directory\temp.exe
"C:\Users\Admin\AppData\Local\Temp\4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f.exe"
3⤵
PID:2768

C:\Users\Admin\AppData\Local\directory\temp.exe
"C:\Users\Admin\AppData\Local\directory\temp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\directory\temp.exe"
4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut4F.tmp

Filesize
258KB

MD5
1fbf5d98268db9157d8bbaa194e681d0

SHA1
91fa671e61e8391aea443d4ad8c7234ec8a99ff6

SHA256
f0cababe51208ab31d5659acc717371c6011b2f25d7041bf2b21570b14902c2c

SHA512
3418d3116b604f20085fba3f4a3ad10c6ec4b83eadd729a10bb99dbcb624d54efffc08256b8ec99e3c78d7b086eecace7807e21e8decdb1da362fa48ece01c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut6F.tmp

Filesize
9KB

MD5
bf4e57b93d5ae23ded949f65e594b76e

SHA1
007179288c79d5698ea77416c718a0d7847177ed

SHA256
cd740426e65e480dc76c680e75aa8b49ca2515e63d92270a2f510263e9fb6d35

SHA512
25a614d27e5186c68de5124fcd942a2168bcd7d25d18cd351e942c1d449246f603c38c2fd184834691fb18eab4a7f3c732aae63547ca5b1e86d83db90dee3be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fricandeaux

Filesize
64KB

MD5
849436e976feac4283b28d8a714eee18

SHA1
477ef9ea26920e73e10dc007a86937d12a9ab47e

SHA256
3a7ff7f5c28db4a50e14f40a1290ba33987bf8b4cda30cb6ba11f90f290c03bd

SHA512
5fec7cbe253bc44d7187a40b54b8bbbbc0901e724cdfd5492a09a4a38e98bedabee5d2cfbc96c51d62a5acc9d5728e7445a98a70947ccf5a342607c4f1ba80c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fricandeaux

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fricandeaux

Filesize
265KB

MD5
825dbe7e3135430fd7a98d108d54724d

SHA1
3b565708cbbbb21b87788ab64fd58469af5a7b3f

SHA256
0685f98a927474ac8dd3da0d773a54625774ea8a8ef3810b5f5c413afbb4ca58

SHA512
6e2e649d53d9d62d9aa8319f25240f57c31154e45005aa797a75b7d1b3d7062627977b90c31b277a08ca96c7d724f5c0a703ab5a42aac6d2de02d5e227062bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nonsubmerged

Filesize
28KB

MD5
4270fd4c6618ef505dac04c5b0780556

SHA1
051b8bb4bd2d1ec2992cc4d70ff3db001f6f4b26

SHA256
a34f32566af0446c12801750a78637de9b873ba8c008294958d4b942df5bc8ab

SHA512
dc45019f805b238985b7f935b245ec49fb440f2a4e2b9250227baa5e8f4adb39af85186d83f2e2d6566da802e4bf9573658230f008da39aa232ee8a38331cc66

Download Submit
C:\Users\Admin\AppData\Local\directory\temp.exe

Filesize
1.3MB

MD5
3d265723ffa9ee20e76cd4eb2b628771

SHA1
206bc32e4bf59574ca23b85f8d88ebdafff07307

SHA256
4d649a9c22c200ae71dc6b4fb2f7840dfa2ed78e607f4ce78f5c1ad73073f34f

SHA512
c71adf07df2eb29db2a3a172f7f2b6708d1727e2682b8605fe7a0ae64588e72e8a5f67321e2d45d8cd60fac95cd0b1177ca4121fdc91d77aad126c4d2a3d3612

Download Submit
memory/2288-10-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2340-32-0x0000000000030000-0x0000000000189000-memory.dmp

Filesize
1.3MB

Download
memory/2340-29-0x0000000000030000-0x0000000000189000-memory.dmp

Filesize
1.3MB

Download
memory/2440-84-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-74-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-49-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2440-48-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2440-1156-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-51-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

Filesize
4KB

Download
memory/2440-52-0x0000000000250000-0x00000000002A6000-memory.dmp

Filesize
344KB

Download
memory/2440-53-0x0000000000C10000-0x0000000000C64000-memory.dmp

Filesize
336KB

Download
memory/2440-54-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-55-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-98-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-97-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-104-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-94-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-92-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-90-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-88-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-86-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-1155-0x0000000074AAE000-0x0000000074AAF000-memory.dmp

Filesize
4KB

Download
memory/2440-82-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-80-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-78-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-76-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-46-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2440-71-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-72-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-69-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-67-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-65-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-63-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-61-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-59-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-57-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-56-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-116-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-114-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-112-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-110-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-108-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-106-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-102-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-100-0x0000000000C10000-0x0000000000C5F000-memory.dmp

Filesize
316KB

Download
memory/2440-1153-0x0000000074AA0000-0x000000007518E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-1154-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2776-45-0x0000000000030000-0x0000000000189000-memory.dmp

Filesize
1.3MB

Download
memory/2776-50-0x0000000000030000-0x0000000000189000-memory.dmp

Filesize
1.3MB

Download