agenttesla | c037429f30412b9308880840a0a5ee836ddd685e1af97c67853fed62308516c7

Analysis

max time kernel
86s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20240802-de
resource tags

arch:x64arch:x86image:win10v2004-20240802-delocale:de-deos:windows10-2004-x64systemwindows
submitted
03-09-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chaser Temp CRACKED.zip
Size

4.5MB
MD5

110ef86686ba4be41314e43de2462cd8
SHA1

3b9e33319f8693d32ac3fe1a0a75b0afb478de1a
SHA256

c037429f30412b9308880840a0a5ee836ddd685e1af97c67853fed62308516c7
SHA512

e5d94bbb8fe50f03391bf37c609d015d4653f1c055c4d15cd93a7ed167271afd3a08530be73d6d62198970e49c2909bff9345ffeff122f313494fcf5f56921ee
SSDEEP

98304:D8JQ9csmb+XU5lemYidFoJjNKdSkGa72mqE2mTgbNJNLzxQcgwH382I/nnD:D8JQWFb5ThvouAbBDnDgi82IfD

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/5504-8-0x0000000005540000-0x0000000005754000-memory.dmp	family_agenttesla

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6084	5504	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bypassed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Morphine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5860	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Morphine.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698339725907185"	rundll32.exe

Modifies system certificate store 2 TTPs 34 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\ClientAuthIssuer	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\REQUEST\CRLs	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\eSIM Certification Authorities	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\REQUEST\CTLs	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\TestSignRoot	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\TrustedDevices	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7976D14BA502C95403263A0AEE2A91DD357AAEB1	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ClientAuthIssuer\CTLs	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\TrustedAppRoot	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\REQUEST\Certificates	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ClientAuthIssuer\Certificates	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ClientAuthIssuer\CRLs	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\FlightRoot	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\REQUEST	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7976D14BA502C95403263A0AEE2A91DD357AAEB1\Blob = 04000000010000001000000007a3e63b7cd74c7a657eff7a33b2ab420f00000001000000200000001b110b5e195a2b4ff8d28a7b4b157708365b9f1d3f6f37133dbbf539bc4a32ab140000000100000014000000083b341918bc733b95b92864b57878f59ee4d44b1900000001000000100000007a0ee6665f7c51b3587c951eb94d94e40300000001000000140000007976d14ba502c95403263a0aee2a91dd357aaeb15c00000001000000040000000008000020000000010000003f0300003082033b30820223a003020102021425827126fb88f0d0167cbab089371092a40c7571300d06092a864886f70d01010b0500303a310b300906035504030c024536311e301c060355040a0c15476f6f676c65205472757374205365727669636573310b3009060355040613025553301e170d3234303832373136313130335a170d3235303832373136313130335a303a310b300906035504030c024536311e301c060355040a0c15476f6f676c65205472757374205365727669636573310b300906035504061302555330820122300d06092a864886f70d01010105000382010f003082010a0282010100a43fb28612a2a1aa1c2528e356ee87e4eaecd6acea46e92ae6ad57f72221e78d236a69d788260fc228a6e3fcdd9a63b9dcd72dfddc6cd13f4d072aca2c702ae4ea66aae2f3f315c6872c1415b3fb63ba095ff853ba77748260caa37d71772b8ac40b8507d0c1ecd60bf70e44b6b40b2439f776e95cb41084f5eef4a5bfbb85ee40f059b23406cb5505f3763d3570b9b42ac7f15eb707713f8b151fc3fe42e88eb96845b8601a3432a6cbc395d823e75013151658d082689c196137da55cebc3749f9c02d399a5b39dc7a23e398c08fbf15b9365fa83d6ed2b9d1b262a2a382de9e066814e2cad2fe44c5610160862658247ee1b478e6c078c0e335dcde6b5ae50203010001a339303730160603551d11040f300d820b6b6579617574682e77696e301d0603551d0e04160414083b341918bc733b95b92864b57878f59ee4d44b300d06092a864886f70d01010b05000382010100176d90883ee4576e694e7abeae08a6cf466032feab42c2a919bda0c2056b0feba4d64bbba9935a1bebf1afafb79a19d8454e43b97fe9e2ffbc744a7aa57c7ba35a07d903242bc15fa05ddcf2fea6285c8296cbd58880c02d8cce8b9a2f7537b84ea7cad4251f2a3afdf8afe5b8f898ac2cd4fec68d492d4a2497590d8be4c3aee4683eff3a64ead0e069cf2754ef84800cd9e3d74ba4fd6f486e1f6b829e50c531eeb2d03be4b70dad6f4a220be2c39905e46038131d854e3480af3ddce07cd70896c1a21501b80cd5f92fe0fe44ff3036b0eb27333701aea147fd757628612deea19c09a36b3c00e482b5b5186d7a009f036630c362eafcce8dbed470b73498	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5504	Morphine.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5044	NOTEPAD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 5944	4764	rundll32.exe	91
PID 4764 wrote to memory of 5944	4764	rundll32.exe	91
PID 2380 wrote to memory of 5680	2380	bypassed.exe	104
PID 2380 wrote to memory of 5680	2380	bypassed.exe	104
PID 5680 wrote to memory of 5508	5680	cmd.exe	105
PID 5680 wrote to memory of 5508	5680	cmd.exe	105
PID 5680 wrote to memory of 2916	5680	cmd.exe	106
PID 5680 wrote to memory of 2916	5680	cmd.exe	106
PID 5680 wrote to memory of 5504	5680	cmd.exe	107
PID 5680 wrote to memory of 5504	5680	cmd.exe	107
PID 5680 wrote to memory of 5504	5680	cmd.exe	107
PID 5504 wrote to memory of 2580	5504	Morphine.exe	108
PID 5504 wrote to memory of 2580	5504	Morphine.exe	108
PID 5504 wrote to memory of 2580	5504	Morphine.exe	108
PID 2580 wrote to memory of 1572	2580	cmd.exe	111
PID 2580 wrote to memory of 1572	2580	cmd.exe	111
PID 2580 wrote to memory of 1572	2580	cmd.exe	111
PID 1572 wrote to memory of 5860	1572	cmd.exe	114
PID 1572 wrote to memory of 5860	1572	cmd.exe	114
PID 1572 wrote to memory of 5860	1572	cmd.exe	114

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Chaser Temp CRACKED.zip"
1⤵
PID:5224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1100

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Chaser Temp CRACKED\Instructions.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:5044

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\Documents\Chaser Temp CRACKED\certificate.crt
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\cryptext.dll,CryptExtAddCERMachineOnlyAndHwnd MIIDOzCCAiOgAwIBAgIUJYJxJvuI8NAWfLqwiTcQkqQMdXEwDQYJKoZIhvcNAQELBQAwOjELMAkGA1UEAwwCRTYxHjAcBgNVBAoMFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczELMAkGA1UEBhMCVVMwHhcNMjQwODI3MTYxMTAzWhcNMjUwODI3MTYxMTAzWjA6MQswCQYDVQQDDAJFNjEeMBwGA1UECgwVR29vZ2xlIFRydXN0IFNlcnZpY2VzMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQ/soYSoqGqHCUo41buh+Tq7Nas6kbpKuatV/ciIeeNI2pp14gmD8IopuP83ZpjudzXLf3cbNE/TQcqyixwKuTqZqri8/MVxocsFBWz+2O6CV/4U7p3dIJgyqN9cXcrisQLhQfQwezWC/cORLa0CyQ593bpXLQQhPXu9KW/u4XuQPBZsjQGy1UF83Y9NXC5tCrH8V63B3E/ixUfw/5C6I65aEW4YBo0MqbLw5XYI+dQExUWWNCCaJwZYTfaVc68N0n5wC05mls53Hoj45jAj78VuTZfqD1u0rnRsmKio4LengZoFOLK0v5ExWEBYIYmWCR+4bR45sB4wOM13N5rWuUCAwEAAaM5MDcwFgYDVR0RBA8wDYILa2V5YXV0aC53aW4wHQYDVR0OBBYEFAg7NBkYvHM7lbkoZLV4ePWe5NRLMA0GCSqGSIb3DQEBCwUAA4IBAQAXbZCIPuRXbmlOer6uCKbPRmAy/qtCwqkZvaDCBWsP66TWS7upk1ob6/Gvr7eaGdhFTkO5f+ni/7x0SnqlfHujWgfZAyQrwV+gXdzy/qYoXIKWy9WIgMAtjM6Lmi91N7hOp8rUJR8qOv34r+W4+JisLNT+xo1JLUokl1kNi+TDruRoPv86ZOrQ4GnPJ1TvhIAM2ePXS6T9b0huH2uCnlDFMe6y0Dvktw2tb0oiC+LDmQXkYDgTHYVONICvPdzgfNcIlsGiFQG4DNX5L+D+RP8wNrDrJzM3Aa6hR/11dihhLe6hnAmjazwA5IK1tRhtegCfA2Yww2Lq/M6NvtRwtzSY 66408
  2⤵
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  PID:5944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4948

C:\Users\Admin\Documents\Chaser Temp CRACKED\bypassed.exe
"C:\Users\Admin\Documents\Chaser Temp CRACKED\bypassed.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\47A3.tmp\47A4.tmp\47A5.bat "C:\Users\Admin\Documents\Chaser Temp CRACKED\bypassed.exe""
  2⤵
  - Drops file in Drivers directory
  - Suspicious use of WriteProcessMemory
  PID:5680
- - C:\Windows\system32\openfiles.exe
    openfiles
    3⤵
    PID:5508
- - C:\Windows\system32\certutil.exe
    certutil -addstore "Root" "C:\Users\Admin\Documents\Chaser Temp CRACKED\certificate.crt"
    3⤵
    PID:2916
- - C:\Users\Admin\Documents\Chaser Temp CRACKED\Morphine.exe
    "C:\Users\Admin\Documents\Chaser Temp CRACKED\Morphine.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5504
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c start cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1572
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1476
      4⤵
      Program crash
      PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5504 -ip 5504
1⤵
PID:5764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\47A3.tmp\47A4.tmp\47A5.bat

Filesize
1KB

MD5
4139d82b7887de939696e636b8c4a86e

SHA1
42ac906cc609814eb6cc27d5d0ff93c25ff842f2

SHA256
3c5bee69f5de7ccf115c18fe5d908a8a8f6232178f5af7bbb74a8efeddf85647

SHA512
8ddb01874b1c1e37780dfe4defaae393d65e8102ba9f4d0ff67c88694aea5167402b2c748e18078c15924583418bae6fa10a627868f2c94528519bd803103ceb

Download Submit
memory/5504-3-0x0000000000030000-0x0000000000602000-memory.dmp

Filesize
5.8MB

Download
memory/5504-4-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/5504-5-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/5504-6-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/5504-7-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/5504-8-0x0000000005540000-0x0000000005754000-memory.dmp

Filesize
2.1MB

Download
memory/5504-9-0x000000000AD90000-0x000000000ADD2000-memory.dmp

Filesize
264KB

Download
memory/5504-10-0x000000000AEF0000-0x000000000AFF4000-memory.dmp

Filesize
1.0MB

Download
memory/5504-11-0x000000000B190000-0x000000000B31C000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads