agenttesla | 43fc4d67b0150124d5da346a700b4cfc92a91c141653d9d3cb4beddb91642aca

Resubmissions

27-07-2024 06:21

240727-g4hl3svaqb 4

27-07-2024 05:35

240727-f92rgasfrc 10

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Asuna Lite/Asuna.exe
Size

363KB
MD5

14eded1661b6adcfa19d9cd43b7a8148
SHA1

ee970fac39ed665195fc89fba0114c2dfb663c11
SHA256

6e9c819d4327b2319a9a336acc4f5b7c53e0b284ea66d28534a485a8d038dc94
SHA512

8c6d356e9ecacc7c5b9d2e79b80a5924f0cd790132734af52f2d4a1da3dffaac1a924c4b19fb7b1bfe7618828b4f24f912431c9c74baf15281daf44271febb74
SSDEEP

6144:xAi4pxpRkyHRZa0Gl278IVNcIcW+EbIo98QG9SZyMMyzmBlpkvOD:x4RlGI78IVlbIoSV9SZynnloO

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Guna.UI2.dll	family_agenttesla

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Asuna.exeFlexer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	Asuna.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	Flexer.exe

Executes dropped EXE 1 IoCs

Processes:

Flexer.exe

pid process

4380 Flexer.exe
Loads dropped DLL 1 IoCs

Processes:

Flexer.exe

pid process

4380 Flexer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

35 pastebin.com
19 pastebin.com
20 pastebin.com
23 raw.githubusercontent.com
24 raw.githubusercontent.com
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2496 powershell.exe
4360 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4380	Flexer.exe

pid	process
4380	Flexer.exe

flow	ioc
35	pastebin.com
19	pastebin.com
20	pastebin.com
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Flexer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Flexer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Flexer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Flexer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeFlexer.exe

pid	process
2496	powershell.exe
2496	powershell.exe
4360	powershell.exe
4360	powershell.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe
4380	Flexer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeAsuna.exepowershell.exeFlexer.exe

description	pid	process
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	3044	Asuna.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4380	Flexer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Asuna.exe

description	pid	process	target process
PID 3044 wrote to memory of 2496	3044	Asuna.exe	powershell.exe
PID 3044 wrote to memory of 2496	3044	Asuna.exe	powershell.exe
PID 3044 wrote to memory of 4360	3044	Asuna.exe	powershell.exe
PID 3044 wrote to memory of 4360	3044	Asuna.exe	powershell.exe
PID 3044 wrote to memory of 4380	3044	Asuna.exe	Flexer.exe
PID 3044 wrote to memory of 4380	3044	Asuna.exe	Flexer.exe

C:\Users\Admin\AppData\Local\Temp\Asuna Lite\Asuna.exe
"C:\Users\Admin\AppData\Local\Temp\Asuna Lite\Asuna.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -NoProfile -Command " $ws = New-Object -ComObject WScript.Shell $shortcut = $ws.CreateShortcut('C:\Users\Admin\Desktop\Flexer.lnk') $shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.exe' $shortcut.Save() "
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -NoProfile -Command " $ws = New-Object -ComObject WScript.Shell $shortcut = $ws.CreateShortcut('C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Flexer.lnk') $shortcut.TargetPath = 'C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.exe' $shortcut.Save() "
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.exe
"C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.deps.json

Filesize
4KB

MD5
60097f10c7776fdce608372bb8eb1a70

SHA1
c48c7a1ac5edd78206999b5e4a1f190df4a9b110

SHA256
e65aca243355352b81fc0a93cdd8f93dbbe04719f66f3a3ac7fc1a1477025946

SHA512
cb7672818c7d2962df7e048131463bd36563800c696ff17a22f94c9a98910b851465204c891774335deed3998a86267eef4ea3e329a86e255e0845291cb38a29

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.dll

Filesize
283KB

MD5
35aa3beeac10e1eaf9f78820d3e3e461

SHA1
ec53ad42cdd29ec44c3223b5cc72553ca87288a6

SHA256
cc6875142903a5884e9e7e2573a66ec354ad634b6935537615b3e1f230e50e91

SHA512
26a3878e3d8a8477e9a7652df8c64683a57e884a5ed6a65f48da5f622c0a8a5f635893cf77af6723fe878d77f9b5d55f3b2e45b29f87d6d6487a7500a3334412

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.exe

Filesize
143KB

MD5
d0b566a81cc36166344998426d351695

SHA1
79d9be955801bb25ffafc3a216a80cde82de1519

SHA256
b2a9cad37ba737f306f2523f8d46866705ff038e437cb342eb2255c1f9329a89

SHA512
5df8e27cff7e6716b49899c0d55d1962243b008b6cee775559198c318e2797f8c159d4469d03e9b2b552ad4d4f4d59903426383fba30ca436280bc19b002a4f6

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.exe.WebView2\EBWebView\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.exe.WebView2\EBWebView\Default\Session Storage\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.exe.WebView2\EBWebView\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.exe.WebView2\EBWebView\GraphiteDawnCache\data_1

Filesize
264KB

MD5
95676ffdc654fbcde7620362e7f67954

SHA1
ad526c7da5b85eb23755e5162dcb1743cf50fae7

SHA256
58cf848c9ac43f3e179bebc513c93585a6ee05d3a5711f4cf9fbf092a0af4660

SHA512
64bcdae8dab44d51e01558aa0a34abb638867a1b987374ef999d48b43bc4df7d41506b7187267b5dd9e4509d9adb073bba3bda63f59f4c059b0ddb8abbfdd33f

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.exe.WebView2\EBWebView\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.exe.WebView2\EBWebView\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Flexer.runtimeconfig.json

Filesize
386B

MD5
186a65581e2f29258f54d396660409fa

SHA1
6f998d3be2e85cb5419205f867135874f27c0a3a

SHA256
e1e0974d0e8833375024eb7c78521b3b5cad4228aad22b23d506cbe702445844

SHA512
7dea87b523aab01ea3c794779b71bc0b52179e1d5e7b9a45539ddd39c775969ef22853c4c193699aec1e3fa3cbe26e90e3a4881226c52a3aacae1eac260ff896

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Guna.UI2.dll

Filesize
2.1MB

MD5
b429ae86c5be521bc8ca3b164cec3acb

SHA1
387560073ff5a1f2191abc6f75fc34532bbb6dd2

SHA256
3ac70532408b89159bfe235d4ed228faa03ae3fbd63ec6a82d895f287a3b0579

SHA512
eae65de53da50708983ed8ebf9e1e3dd5f9aea95a354d272e199bb59517f62bfe35f0df7a37d81ab0423d0d6d29304fa70284c731bd54023e446b2c19bacafb1

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
b037ca44fd19b8eedb6d5b9de3e48469

SHA1
1f328389c62cf673b3de97e1869c139d2543494e

SHA256
11e88b2ca921e5c88f64567f11bd83cbc396c10365d40972f3359fcc7965d197

SHA512
fa89ab3347fd57486cf3064ad164574f70e2c2b77c382785479bfd5ab50caa0881de3c2763a0932feac2faaf09479ef699a04ba202866dc7e92640246ba9598b

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Microsoft.Web.WebView2.WinForms.dll

Filesize
37KB

MD5
8153423918c8cbf54b44acec01f1d6c2

SHA1
f0c3c5412b809725e6d4809230adb15cc7d83ad2

SHA256
5696366f7458da940cc986dc5d3d4549a2368512acd769014ecbb07b47bd88b4

SHA512
f3dc771e37c71479d332142ec5a9c5c3f39ca71937f595a0f7482ae5aaaafd92e932efc9b0363d4511d547f3c8b2e0497ebbf8356e7d07fc344f4e5715b0ee87

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\Monaco\package\esm\vs\base\browser\ui\table\table.js

Filesize
368B

MD5
dff5cd240217dc0e722c27be242db91d

SHA1
244d1e7b3a10bb26e52ad9019e0e20f8bb3a72aa

SHA256
151caa77914089aa02273bb851f4b9a198eaab38da7eb9e4bdd7af8075c2dc57

SHA512
e6033e28f65f29ec3a7fc2e367bb6dd2909e38e5e5ccd267fe920e82c25de00c3cf5593db022dc1664ec00652882d5093121f2686788ee3eb60d0b2d87fef6d5

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\runtimes\win-x64\native\WebView2Loader.dll

Filesize
161KB

MD5
c5f0c46e91f354c58ecec864614157d7

SHA1
cb6f85c0b716b4fc3810deb3eb9053beb07e803c

SHA256
465a7ddfb3a0da4c3965daf2ad6ac7548513f42329b58aebc337311c10ea0a6f

SHA512
287756078aa08130907bd8601b957e9e006cef9f5c6765df25cfaa64ddd0fff7d92ffa11f10a00a4028687f3220efda8c64008dbcf205bedae5da296e3896e91

Download Submit
C:\Users\Admin\AppData\Local\GOTji\Flexers\miyukiClient\workspace\.tests\listfiles\test_2.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxvjonta.eae.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2496-1418-0x0000028A2EED0000-0x0000028A2EEF2000-memory.dmp

Filesize
136KB

Download
memory/2496-1433-0x00007FF90A000000-0x00007FF90AAC1000-memory.dmp

Filesize
10.8MB

Download
memory/2496-1416-0x00007FF90A003000-0x00007FF90A005000-memory.dmp

Filesize
8KB

Download
memory/2496-1428-0x00007FF90A000000-0x00007FF90AAC1000-memory.dmp

Filesize
10.8MB

Download
memory/2496-1427-0x00007FF90A000000-0x00007FF90AAC1000-memory.dmp

Filesize
10.8MB

Download
memory/3044-0-0x00000257C7820000-0x00000257C7821000-memory.dmp

Filesize
4KB

Download