agenttesla | 349b75eb0d5c74b180c668dcaafcf5e6b8755d1278eb625e3769f6461924bc30

Analysis

max time kernel
137s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 02:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
Size

1.3MB
MD5

9d9add306867d29b9b665c6c7b65b053
SHA1

07030039678cd165662d4019b18b8f4c1a012c5f
SHA256

dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c
SHA512

a05dc2209a8de1771e7275c96152009972aa1fba34247639befe537a8af75ab7e64234ab343112062f32e5b971a40ea71602bb75ccf2376b69dfb7bb6112e7b4
SSDEEP

24576:6qDEvCTbMWu7rQYlBQcBiT6rprG8aE545pGu0nbkTEamFblGg+y6tuI6l:6TvC/MTQYxsWR7aE545pGu0nbkT4lkgq

Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	api.ipify.org
23	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2348 set thread context of 2444	2348	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	96

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2444	RegSvcs.exe
2444	RegSvcs.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3752	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
692	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
4576	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
2348	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	RegSvcs.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3752	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
3752	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
692	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
692	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
4576	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
4576	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
2348	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
2348	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
3752	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
3752	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
692	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
692	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
4576	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
4576	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
2348	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
2348	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 3396	3752	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	87
PID 3752 wrote to memory of 3396	3752	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	87
PID 3752 wrote to memory of 3396	3752	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	87
PID 3752 wrote to memory of 692	3752	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	88
PID 3752 wrote to memory of 692	3752	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	88
PID 3752 wrote to memory of 692	3752	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	88
PID 692 wrote to memory of 3252	692	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	90
PID 692 wrote to memory of 3252	692	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	90
PID 692 wrote to memory of 3252	692	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	90
PID 692 wrote to memory of 4576	692	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	91
PID 692 wrote to memory of 4576	692	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	91
PID 692 wrote to memory of 4576	692	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	91
PID 4576 wrote to memory of 1536	4576	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	92
PID 4576 wrote to memory of 1536	4576	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	92
PID 4576 wrote to memory of 1536	4576	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	92
PID 4576 wrote to memory of 2348	4576	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	93
PID 4576 wrote to memory of 2348	4576	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	93
PID 4576 wrote to memory of 2348	4576	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	93
PID 2348 wrote to memory of 2444	2348	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	96
PID 2348 wrote to memory of 2444	2348	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	96
PID 2348 wrote to memory of 2444	2348	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	96
PID 2348 wrote to memory of 2444	2348	dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe	96

C:\Users\Admin\AppData\Local\Temp\dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
"C:\Users\Admin\AppData\Local\Temp\dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe"
  2⤵
  PID:3396
- C:\Users\Admin\AppData\Local\Temp\dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
  "C:\Users\Admin\AppData\Local\Temp\dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe"
    3⤵
    PID:3252
- - C:\Users\Admin\AppData\Local\Temp\dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
    "C:\Users\Admin\AppData\Local\Temp\dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe"
      4⤵
      PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe
      "C:\Users\Admin\AppData\Local\Temp\dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dccd011bce927cea2b3f0d2ff0198a100df5d3f522f12e4d2fbff9d8e568528c.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut853D.tmp

Filesize
261KB

MD5
4477262c56d1d6ea1899ae24acf276f1

SHA1
e89ac4a04b7966949010293c45904b30dc387a48

SHA256
c945c43ba1574a188eea0d7b5199bc764374b22a96aade2bbd729393bb7e4949

SHA512
fb0ea3b41a1cf31e923cf0ae0c515a7500a9321712ed3a3d9b829383c9d19c51df03c18dc12df078def85a6271773c56f4847f9a358d2bad15435ac9498b17f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut8BA7.tmp

Filesize
42KB

MD5
5eecf99f9c1f5473bc41e9c22953ecd9

SHA1
fbeea15d9859c0dbfb13fe57b9560c5ae9a00d4f

SHA256
f08ddabcb67efc66efc7cfa0bb72fb21c77e41d732b2c5e65d0bec100e2710d0

SHA512
bfbabf9536d06370e485127f9c0eb6158de3ba3fba1f5d44c464115785d9c706176d47d58266e0ad615587acb364dca96c658ea6bc7b50268d3369d77e07a156

Download Submit
C:\Users\Admin\AppData\Local\Temp\definitization

Filesize
84KB

MD5
e86b31441deb697668037db6f0318909

SHA1
fa8001036450225641b46de50e3626ecdfc8b974

SHA256
432ab1d0c59fc0a292bb92180706d7e7207f589817a90e7b72b91d0f1417164f

SHA512
0406807df5720df649af79cd2a899985c0fc5b07558dd0dc42675080f2f445b1f4a2b38355146bfead6f1a3dfb74d629256905cc549d97e6de8e9fdf7a3b7d1c

Download Submit
memory/2444-102-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-94-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-92-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-60-0x0000000002C20000-0x0000000002C74000-memory.dmp

Filesize
336KB

Download
memory/2444-61-0x0000000005A80000-0x0000000006024000-memory.dmp

Filesize
5.6MB

Download
memory/2444-62-0x0000000002CF0000-0x0000000002D42000-memory.dmp

Filesize
328KB

Download
memory/2444-80-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-82-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-124-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-122-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-120-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-118-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-116-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-114-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-112-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-108-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-106-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-104-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-1098-0x0000000006A70000-0x0000000006A7A000-memory.dmp

Filesize
40KB

Download
memory/2444-100-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-58-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2444-96-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-59-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2444-90-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-86-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-78-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-76-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-74-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-72-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-68-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-110-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-98-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-88-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-84-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-70-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-63-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-66-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-64-0x0000000002CF0000-0x0000000002D3D000-memory.dmp

Filesize
308KB

Download
memory/2444-1095-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/2444-1096-0x0000000006A10000-0x0000000006A60000-memory.dmp

Filesize
320KB

Download
memory/2444-1097-0x0000000006B00000-0x0000000006B92000-memory.dmp

Filesize
584KB

Download
memory/3752-13-0x00000000039F0000-0x00000000039F4000-memory.dmp

Filesize
16KB

Download