agenttesla | 29e5a652f861c21a69b78ba724c03215c290b8a7e0d834918f69c61dc69b25cf

Analysis

max time kernel
31s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IlluminatiFree.exe
Size

3.4MB
MD5

0d2b81676d5454aa2d64f4e3d5492065
SHA1

da217be8be81f371c35c949b067306d58bc7edc4
SHA256

3159c15e685d17e6349b5b23487380cfa8b2f18a0d8e6db72b5a64ef6eb0a694
SHA512

d92805b3cdc418b22a31439b4d494d014c15b58500af028f8398a006dac0c71e264e30ae25007a3662bac10eb02337db0e5974bdc94971df88d639070a3e6b34
SSDEEP

98304:RtZ1Bb/WtqjM/ECMPXpJxPDREVUTpybRyVpKGXdfW1c:T/E04/FMPXLl2WyRop7Xdfd

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/3464-7-0x0000000006560000-0x0000000006774000-memory.dmp	family_agenttesla

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	IlluminatiFree.exe

Executes dropped EXE 1 IoCs

pid	Process
4128	trigger.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\triggerbot.exe	IlluminatiFree.exe
File created	C:\Windows\trigger.exe	IlluminatiFree.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IlluminatiFree.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	IlluminatiFree.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	IlluminatiFree.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	IlluminatiFree.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3464	IlluminatiFree.exe
3464	IlluminatiFree.exe
3464	IlluminatiFree.exe
3464	IlluminatiFree.exe
3464	IlluminatiFree.exe
3464	IlluminatiFree.exe
3464	IlluminatiFree.exe
3464	IlluminatiFree.exe
3464	IlluminatiFree.exe
3464	IlluminatiFree.exe
3464	IlluminatiFree.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3464	IlluminatiFree.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4128	trigger.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4128	trigger.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4128	trigger.exe
4128	trigger.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 4128	3464	IlluminatiFree.exe	87
PID 3464 wrote to memory of 4128	3464	IlluminatiFree.exe	87

C:\Users\Admin\AppData\Local\Temp\IlluminatiFree.exe
"C:\Users\Admin\AppData\Local\Temp\IlluminatiFree.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\trigger.exe
  "C:\Windows\trigger.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\trigger.exe

Filesize
1.2MB

MD5
2d6b9e9c268c8746c0a94a47417c28d4

SHA1
4c0c418fd2ba68ddfa1de1c06c3e1516c4be297e

SHA256
f2a79c6855148ab387b4614f445f29f6d9de8a034b1051696ed695d665731ad1

SHA512
45709d73fc6571af1db952ee7c84b93a47168002215bed8420653a62066aa934bdee4098014e3182153f8010121f90a7b9df8aaaa03ba3cb0d834ca76a373c58

Download Submit
memory/3464-6-0x0000000005B50000-0x0000000005B5A000-memory.dmp

Filesize
40KB

Download
memory/3464-2-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3464-3-0x0000000005DF0000-0x00000000060CE000-memory.dmp

Filesize
2.9MB

Download
memory/3464-4-0x00000000078B0000-0x0000000007E54000-memory.dmp

Filesize
5.6MB

Download
memory/3464-5-0x00000000060D0000-0x0000000006162000-memory.dmp

Filesize
584KB

Download
memory/3464-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/3464-7-0x0000000006560000-0x0000000006774000-memory.dmp

Filesize
2.1MB

Download
memory/3464-8-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3464-9-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/3464-10-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3464-1-0x0000000000D10000-0x0000000001084000-memory.dmp

Filesize
3.5MB

Download
memory/3464-22-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download