agenttesla | fb5f458182d11b7d4a5aecc6181716e578dabcd79538a5fb2f576ebe1a46876c

Analysis

max time kernel
69s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

28.7MB
MD5

81a221e86dafe083da5c6b80378b9aca
SHA1

f69db77c49553868c7c9f850655faeed0dcc89d3
SHA256

fb5f458182d11b7d4a5aecc6181716e578dabcd79538a5fb2f576ebe1a46876c
SHA512

c9904cf9bbc51cacb5957cbd64c2771e119913ac42b9844e3120d257dfa18cf88f10950e8bbaf2a743c9e10cca7c654b369e8e78bc1279ba2ead317b3c8410ff
SSDEEP

786432:aUAqvMX9QmqEjkwuLLXTeZV+Mo/2nKaAXyyRfH/5SI:atqvYpkPTUlY2nKFCyx

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/1240-6-0x000001B5FB0D0000-0x000001B5FB2C6000-memory.dmp	family_agenttesla

Loads dropped DLL 1 IoCs

pid	Process
1240	Loader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	Loader.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\394a3b25-f4a3-4a8d-bdc1-32a2b8fb9282.dll

Filesize
427KB

MD5
8a361236edba0e0d8f82a0b1ea65cd92

SHA1
1980d7e42a9893e5f80a6bd9d3f4b517fda3d3c1

SHA256
ac626388ae43531fbd3e6d3a7605b0bc0865403f83550f1a31fc63d45c836fcc

SHA512
62bb49ee4b44c06053780851cf71954bddd07f553315a801fe3f8d20c95e9c2726d56a6d272ea6da53f61c864c8011ba12f93ae4ce0853af4973c4004e66a24f

Download Submit
memory/1240-9-0x00007FFB9A0A0000-0x00007FFB9AB61000-memory.dmp

Filesize
10.8MB

Download
memory/1240-1-0x000001B5DECA0000-0x000001B5E0960000-memory.dmp

Filesize
28.8MB

Download
memory/1240-6-0x000001B5FB0D0000-0x000001B5FB2C6000-memory.dmp

Filesize
2.0MB

Download
memory/1240-7-0x00007FFB9A0A0000-0x00007FFB9AB61000-memory.dmp

Filesize
10.8MB

Download
memory/1240-8-0x000001B5FBC40000-0x000001B5FBD56000-memory.dmp

Filesize
1.1MB

Download
memory/1240-0-0x00007FFB9A0A3000-0x00007FFB9A0A5000-memory.dmp

Filesize
8KB

Download
memory/1240-11-0x000001B5FE160000-0x000001B5FE212000-memory.dmp

Filesize
712KB

Download
memory/1240-10-0x00007FFB9A0A0000-0x00007FFB9AB61000-memory.dmp

Filesize
10.8MB

Download
memory/1240-12-0x000001B5FE040000-0x000001B5FE062000-memory.dmp

Filesize
136KB

Download
memory/1240-13-0x000001B5FE880000-0x000001B5FEDA8000-memory.dmp

Filesize
5.2MB

Download
memory/1240-14-0x00007FFB9A0A3000-0x00007FFB9A0A5000-memory.dmp

Filesize
8KB

Download
memory/1240-15-0x00007FFB9A0A0000-0x00007FFB9AB61000-memory.dmp

Filesize
10.8MB

Download
memory/1240-16-0x00007FFB9A0A0000-0x00007FFB9AB61000-memory.dmp

Filesize
10.8MB

Download