agenttesla | 13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e

Analysis

max time kernel
141s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
Size

1.5MB
MD5

180ad8fe3294d5cbf1508f3576c70f1c
SHA1

831c8ef7b3efedae003526a87139e806c713ed24
SHA256

13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e
SHA512

d5a7ece40082978640d886b33729255c4b47a3bac6fac1973eb475599bf3c79795b2314dd4ae6c87685c56a0c9f9990a42a61d0ba9482be81489fae48900933c
SSDEEP

24576:qIgqdRkAM4OF+PMwrSVlbmfDYkhDvGtjXtGUAF9kJ7MqudghfEuCj0hThiHHxlhg:qIeMw6kbQlYSRUT7ofIlohsgm

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EXE.lnk	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	EXE.exe

Loads dropped DLL 3 IoCs

pid	Process
2576	cmd.exe
2880	EXE.exe
2880	EXE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
236	PING.EXE
2576	cmd.exe
2516	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2516	PING.EXE
236	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
2880	EXE.exe
2880	EXE.exe
2880	EXE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
Token: SeDebugPrivilege	2880	EXE.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2576	2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe	30
PID 2652 wrote to memory of 2576	2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe	30
PID 2652 wrote to memory of 2576	2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe	30
PID 2652 wrote to memory of 2576	2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe	30
PID 2652 wrote to memory of 2576	2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe	30
PID 2652 wrote to memory of 2576	2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe	30
PID 2652 wrote to memory of 2576	2652	13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe	30
PID 2576 wrote to memory of 2516	2576	cmd.exe	32
PID 2576 wrote to memory of 2516	2576	cmd.exe	32
PID 2576 wrote to memory of 2516	2576	cmd.exe	32
PID 2576 wrote to memory of 2516	2576	cmd.exe	32
PID 2576 wrote to memory of 2516	2576	cmd.exe	32
PID 2576 wrote to memory of 2516	2576	cmd.exe	32
PID 2576 wrote to memory of 2516	2576	cmd.exe	32
PID 2576 wrote to memory of 236	2576	cmd.exe	34
PID 2576 wrote to memory of 236	2576	cmd.exe	34
PID 2576 wrote to memory of 236	2576	cmd.exe	34
PID 2576 wrote to memory of 236	2576	cmd.exe	34
PID 2576 wrote to memory of 236	2576	cmd.exe	34
PID 2576 wrote to memory of 236	2576	cmd.exe	34
PID 2576 wrote to memory of 236	2576	cmd.exe	34
PID 2576 wrote to memory of 2880	2576	cmd.exe	35
PID 2576 wrote to memory of 2880	2576	cmd.exe	35
PID 2576 wrote to memory of 2880	2576	cmd.exe	35
PID 2576 wrote to memory of 2880	2576	cmd.exe	35
PID 2576 wrote to memory of 2880	2576	cmd.exe	35
PID 2576 wrote to memory of 2880	2576	cmd.exe	35
PID 2576 wrote to memory of 2880	2576	cmd.exe	35
PID 2880 wrote to memory of 2200	2880	EXE.exe	36
PID 2880 wrote to memory of 2200	2880	EXE.exe	36
PID 2880 wrote to memory of 2200	2880	EXE.exe	36
PID 2880 wrote to memory of 2200	2880	EXE.exe	36
PID 2880 wrote to memory of 2200	2880	EXE.exe	36
PID 2880 wrote to memory of 2200	2880	EXE.exe	36
PID 2880 wrote to memory of 2200	2880	EXE.exe	36
PID 2880 wrote to memory of 2200	2880	EXE.exe	36
PID 2880 wrote to memory of 2200	2880	EXE.exe	36
PID 2880 wrote to memory of 2200	2880	EXE.exe	36
PID 2880 wrote to memory of 2200	2880	EXE.exe	36
PID 2880 wrote to memory of 2200	2880	EXE.exe	36

C:\Users\Admin\AppData\Local\Temp\13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe
"C:\Users\Admin\AppData\Local\Temp\13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\Admin\AppData\Local\Temp\13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e.exe" "C:\Users\Admin\AppData\Roaming\EXE.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\Admin\AppData\Roaming\EXE.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 39
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2516
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 39
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:236
- - C:\Users\Admin\AppData\Roaming\EXE.exe
    "C:\Users\Admin\AppData\Roaming\EXE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\EXE.exe

Filesize
1.5MB

MD5
180ad8fe3294d5cbf1508f3576c70f1c

SHA1
831c8ef7b3efedae003526a87139e806c713ed24

SHA256
13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e

SHA512
d5a7ece40082978640d886b33729255c4b47a3bac6fac1973eb475599bf3c79795b2314dd4ae6c87685c56a0c9f9990a42a61d0ba9482be81489fae48900933c

Download Submit
memory/2200-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-22-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2200-18-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2652-0-0x0000000000240000-0x00000000003C2000-memory.dmp

Filesize
1.5MB

Download
memory/2652-1-0x0000000002940000-0x00000000029DE000-memory.dmp

Filesize
632KB

Download
memory/2880-13-0x0000000000160000-0x00000000002E2000-memory.dmp

Filesize
1.5MB

Download
memory/2880-14-0x0000000000A90000-0x0000000000AAA000-memory.dmp

Filesize
104KB

Download
memory/2880-15-0x0000000000AE0000-0x0000000000AE6000-memory.dmp

Filesize
24KB

Download