agenttesla | c82bbaafb44f7529b19744c88c66ae4b4dda06c10c681a1a0868b37405a61986

Analysis

max time kernel
1041s
max time network
1146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lucky.exe
Size

74KB
MD5

6800fb9f7e466760a1a6c9375ad279b5
SHA1

92493bd8e395e13c08ee501c7d7863528669912b
SHA256

b53db1f081bac1af022f6a84fb5ad147f031b5db21f562cd5555f86a2ac4b96e
SHA512

a68ba7706c52d3bcb2d504a4d5a753a4949c236afb4a412c218874a60ee00717159a4e33948e8fa72988ef9d853735257ba87981f0c22e0727bd5b3cccc4050e
SSDEEP

1536:xgBZUu1Q3BOxx/bCyB2xHbeK2IuswNsYlW/1WDkB1l/qTpa9t1I6:uzUu1Q3ubl2xHbeK2ILwSUy1WDkBbM0p

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral3/memory/5048-7-0x0000000006070000-0x0000000006284000-memory.dmp	family_agenttesla

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lucky.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Lucky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Lucky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Lucky.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1664	msedge.exe
1664	msedge.exe
932	msedge.exe
932	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	Lucky.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2840	3240	msedge.exe	109
PID 3240 wrote to memory of 2840	3240	msedge.exe	109
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1736	3240	msedge.exe	110
PID 3240 wrote to memory of 1664	3240	msedge.exe	111
PID 3240 wrote to memory of 1664	3240	msedge.exe	111
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112
PID 3240 wrote to memory of 1364	3240	msedge.exe	112

C:\Users\Admin\AppData\Local\Temp\Lucky.exe
"C:\Users\Admin\AppData\Local\Temp\Lucky.exe"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5d6ae3b2hcd45h4e4fha74fhbd531bf2e543
1⤵
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffaf7f246f8,0x7ffaf7f24708,0x7ffaf7f24718
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,8759727746308711633,4886416826137682229,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,8759727746308711633,4886416826137682229,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,8759727746308711633,4886416826137682229,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:1364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultf85f48c0hcb65h4bceha3c5h5e17206003e3
1⤵
PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ffaf7f246f8,0x7ffaf7f24708,0x7ffaf7f24718
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,14674089873326472171,18026485284073326475,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,14674089873326472171,18026485284073326475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,14674089873326472171,18026485284073326475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3032 /prefetch:8
  2⤵
  PID:1296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0de50ad2b49bcb8debf6a54271f7bfeb

SHA1
db9baad7e12a8f70a0c89dbdbb8d004b28a49605

SHA256
f05a3651c90af12b5dde398ec936e794b57593ab9f1d61804c923d6465112fa3

SHA512
e63e866a3d9de76f2e14b0e6ad96064d65512b1b79a9fd6f0bc14ca933a47a9631ad31eb6cb31f1c1e6ce4ac6848e661e095e5ca6022f80cb071ea5721cf35a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
98257316206ef8d2750572249034aaa4

SHA1
b317a5a6b2400c2dfb0645d0e6cca1dbb05689ae

SHA256
10a451a0d483edae3004a3249de1183541d67cdfbbe8403e10bfa1b7be6fb4b3

SHA512
e1aac39e3d966bc3d2252395ac47d783c3c2f7cfc3b4507a4bcacbde6b31b24d1d32e1d880e28b4287174735d810d631c0cdc5e89b1ae48242bfc7fb4468bef1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
92168dd7a209841b25be6145fa9f1f4c

SHA1
6aabf2eef34e08125c0e8521044c4cd75d91bdc8

SHA256
c93af3f09989c50adb5ba04c936b308bea105e8a758006957fe7eea9ad9ce671

SHA512
4ba7466ad7af3b0c5753deb1de5796e90877f6455c2d27a896bef55cf00bfab62561e4be3dd11e6076a144d23b78f75ca1088e8853374c529b953a73d46a93f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
fd2f550646772497b8d8404f9a152ef2

SHA1
a875692a728d8c453ee27c6cc6d0d86797939bfc

SHA256
4cb6ecf0047d05a871997b3c451c87c03db5687494d09b2dd298e1c691603d86

SHA512
c64d583d8a989071b022cc1d8b10cbdd68f3d1ce2bc04e64a0b01e6008cace3505d9518b677045572c2d21b7e6fd3779236db0a10911e826209e3ec473356172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/5048-5-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/5048-10-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/5048-11-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/5048-9-0x0000000007650000-0x000000000768C000-memory.dmp

Filesize
240KB

Download
memory/5048-8-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/5048-7-0x0000000006070000-0x0000000006284000-memory.dmp

Filesize
2.1MB

Download
memory/5048-6-0x00000000056C0000-0x00000000056CA000-memory.dmp

Filesize
40KB

Download
memory/5048-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/5048-4-0x0000000005490000-0x00000000054A2000-memory.dmp

Filesize
72KB

Download
memory/5048-3-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/5048-2-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/5048-1-0x0000000000AE0000-0x0000000000AF8000-memory.dmp

Filesize
96KB

Download