agenttesla | 08bfa123a60129592b815a499f6df0bf213d5653928cbe2ffe888e29e89b26ff

Analysis

max time kernel
109s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zara+Perm-Cracked.rar
Size

1.1MB
MD5

35650186e819c9d989962232dac3f1c0
SHA1

fd3f35ae36ad648dba0310ce9fbdcfe47b11790a
SHA256

08bfa123a60129592b815a499f6df0bf213d5653928cbe2ffe888e29e89b26ff
SHA512

22e4d1745df1839ffac0dfb8fac087c73828719e0a794dd364e90a7e48e7b92ce2664d1d5000d9f2825a7db8ce81c96b4d8cbf2065de9bb073e64b5b6211c449
SSDEEP

24576:baSfP+wLqs2WM7tioix6LDigmGOzDrHzUYvlksRWGgSp2HFFSZO9rhRgcw:bbX+wLD2lKmxm/zDrTUwjzNpyFT9rrS

Score

10^/10

agenttesla discovery evasion execution keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023483-13.dat	family_agenttesla
behavioral1/memory/724-16-0x0000000005AE0000-0x0000000005CF4000-memory.dmp	family_agenttesla

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CEeFtiHpoR\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\CEeFtiHpoR"	2.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Lucky.exe

Executes dropped EXE 19 IoCs

pid	Process
724	Lucky.exe
3528	winxsrcsv64.exe
4556	winxsrcsv64.exe
3532	winxsrcsv64.exe
3096	winxsrcsv64.exe
2076	winxsrcsv64.exe
3656	winxsrcsv64.exe
4112	winxsrcsv64.exe
3892	winxsrcsv64.exe
2440	winxsrcsv64.exe
1296	winxsrcsv64.exe
3940	winxsrcsv64.exe
2464	winxsrcsv64.exe
2684	winxsrcsv64.exe
4748	winxsrcsv64.exe
5068	winxsrcsv64.exe
1868	winxsrcsv64.exe
1192	2.exe
2640	2.exe

Loads dropped DLL 4 IoCs

pid	Process
724	Lucky.exe
724	Lucky.exe
724	Lucky.exe
724	Lucky.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\Time Zone\winxsrcsv64.exe	Lucky.exe
File created	C:\Windows\Globalization\Time Zone\iqvw64e.sys	Lucky.exe
File created	C:\Windows\Globalization\Time Zone\skibnidi.bat	Lucky.exe
File created	C:\Windows\IME\1.sys	Lucky.exe
File created	C:\Windows\IME\2.exe	Lucky.exe
File created	C:\Windows\Globalization\Time Zone\winxsrcsv64.sys	Lucky.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1248	sc.exe
4752	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lucky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Lucky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Lucky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Lucky.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe

Runs net.exe

Suspicious behavior: LoadsDriver 17 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
1192	2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2744	7zG.exe
Token: 35	2744	7zG.exe
Token: SeSecurityPrivilege	2744	7zG.exe
Token: SeSecurityPrivilege	2744	7zG.exe
Token: SeDebugPrivilege	724	Lucky.exe
Token: SeLoadDriverPrivilege	1192	2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2744	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
864	OpenWith.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 724 wrote to memory of 3528	724	Lucky.exe	107
PID 724 wrote to memory of 3528	724	Lucky.exe	107
PID 724 wrote to memory of 4556	724	Lucky.exe	109
PID 724 wrote to memory of 4556	724	Lucky.exe	109
PID 724 wrote to memory of 3532	724	Lucky.exe	111
PID 724 wrote to memory of 3532	724	Lucky.exe	111
PID 724 wrote to memory of 3096	724	Lucky.exe	113
PID 724 wrote to memory of 3096	724	Lucky.exe	113
PID 724 wrote to memory of 2076	724	Lucky.exe	115
PID 724 wrote to memory of 2076	724	Lucky.exe	115
PID 724 wrote to memory of 3656	724	Lucky.exe	117
PID 724 wrote to memory of 3656	724	Lucky.exe	117
PID 724 wrote to memory of 4112	724	Lucky.exe	119
PID 724 wrote to memory of 4112	724	Lucky.exe	119
PID 724 wrote to memory of 3892	724	Lucky.exe	121
PID 724 wrote to memory of 3892	724	Lucky.exe	121
PID 724 wrote to memory of 2440	724	Lucky.exe	123
PID 724 wrote to memory of 2440	724	Lucky.exe	123
PID 724 wrote to memory of 1296	724	Lucky.exe	125
PID 724 wrote to memory of 1296	724	Lucky.exe	125
PID 724 wrote to memory of 3940	724	Lucky.exe	127
PID 724 wrote to memory of 3940	724	Lucky.exe	127
PID 724 wrote to memory of 2464	724	Lucky.exe	129
PID 724 wrote to memory of 2464	724	Lucky.exe	129
PID 724 wrote to memory of 2684	724	Lucky.exe	131
PID 724 wrote to memory of 2684	724	Lucky.exe	131
PID 724 wrote to memory of 4748	724	Lucky.exe	133
PID 724 wrote to memory of 4748	724	Lucky.exe	133
PID 724 wrote to memory of 5068	724	Lucky.exe	135
PID 724 wrote to memory of 5068	724	Lucky.exe	135
PID 724 wrote to memory of 1868	724	Lucky.exe	137
PID 724 wrote to memory of 1868	724	Lucky.exe	137
PID 724 wrote to memory of 4920	724	Lucky.exe	139
PID 724 wrote to memory of 4920	724	Lucky.exe	139
PID 724 wrote to memory of 4920	724	Lucky.exe	139
PID 4920 wrote to memory of 2596	4920	cmd.exe	141
PID 4920 wrote to memory of 2596	4920	cmd.exe	141
PID 4920 wrote to memory of 2596	4920	cmd.exe	141
PID 2596 wrote to memory of 4892	2596	net.exe	142
PID 2596 wrote to memory of 4892	2596	net.exe	142
PID 2596 wrote to memory of 4892	2596	net.exe	142
PID 4920 wrote to memory of 3924	4920	cmd.exe	143
PID 4920 wrote to memory of 3924	4920	cmd.exe	143
PID 4920 wrote to memory of 3924	4920	cmd.exe	143
PID 3924 wrote to memory of 1524	3924	net.exe	144
PID 3924 wrote to memory of 1524	3924	net.exe	144
PID 3924 wrote to memory of 1524	3924	net.exe	144
PID 4920 wrote to memory of 1248	4920	cmd.exe	146
PID 4920 wrote to memory of 1248	4920	cmd.exe	146
PID 4920 wrote to memory of 1248	4920	cmd.exe	146
PID 4920 wrote to memory of 4752	4920	cmd.exe	147
PID 4920 wrote to memory of 4752	4920	cmd.exe	147
PID 4920 wrote to memory of 4752	4920	cmd.exe	147
PID 724 wrote to memory of 1192	724	Lucky.exe	149
PID 724 wrote to memory of 1192	724	Lucky.exe	149
PID 724 wrote to memory of 3092	724	Lucky.exe	151
PID 724 wrote to memory of 3092	724	Lucky.exe	151
PID 724 wrote to memory of 3092	724	Lucky.exe	151
PID 3092 wrote to memory of 2640	3092	cmd.exe	153
PID 3092 wrote to memory of 2640	3092	cmd.exe	153

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Zara+Perm-Cracked.rar
1⤵
- Modifies registry class
PID:456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4724

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap24929:92:7zEvent6647
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2744

C:\Users\Admin\Desktop\Lucky.exe
"C:\Users\Admin\Desktop\Lucky.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SU AUTO
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /BS WG6NYQOE4S9DF3XF
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CS WG6NYQOE4S9DF3XF
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SS WG6NYQOE4S9DF3XF
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SM "System manufacturer"
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SP "System Product Name"
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SV "System Version"
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SK "SKU"
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /BT "Default string"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /BLC "Default string"
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CM "Default string"
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CV "Default string"
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CA "Default string"
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CSK "Default string"
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SF "To be filled by O.E.M."
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /PSN WG6NYQOE4S9DF3XF
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Globalization\Time Zone\skibnidi.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\net.exe
    net stop winmgmt /y
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      System Location Discovery: System Language Discovery
      PID:4892
- - C:\Windows\SysWOW64\net.exe
    net start winmgmt /y
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start winmgmt /y
      4⤵
      System Location Discovery: System Language Discovery
      PID:1524
- - C:\Windows\SysWOW64\sc.exe
    sc stop winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1248
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4752
- C:\Windows\IME\2.exe
  "C:\Windows\IME\2.exe" C:\Windows\IME\1.sys
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C C:\Windows\IME\2.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\IME\2.exe
    C:\Windows\IME\2.exe
    3⤵
    - Executes dropped EXE
    PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:3176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Bunifu.UI.WinForms.dll

Filesize
1.3MB

MD5
7bbf428fb683748a73594b9791a39f96

SHA1
341d30a12cbbd2e8c654fb1ddc382017ac83b2c2

SHA256
a870923034e7f135a4e34a3192c39fea8bf2f8f6a82e700b547101245e5f9de9

SHA512
1770ee20d88f83cfe343800a4dbc95eff0c9c253e2f42cd4d52baac959e1c8385c1c208610b10eeb96782283010ecc36d51ecce9bb815d3ee480024936327c58

Download Submit
C:\Users\Admin\Desktop\Guna.UI2.dll

Filesize
2.1MB

MD5
278752062981db6fe27ba55f5099b8ae

SHA1
8446637986cf4a24e9135ee5c54f3170600e1e83

SHA256
538e6ca6001d609e251f88243409a2cbc9bc0517751843e76485a2c335e7829b

SHA512
142ff82ca90ca63a6a854e866615d742b585c102e8c4de5c773edeb1ac30c2cc2f6bcb190da394e4aadb4ef9518d194d99904463d6e952170d2924b16fcb00a5

Download Submit
C:\Users\Admin\Desktop\Lucky.exe

Filesize
73KB

MD5
352b567c9c34359d9908b7f74b5f7466

SHA1
89c3e1ceb3fe9cfb2b760dbeb314cc5807a82191

SHA256
833af31aba36d0b1d147081d471ae86e1d9d426a1a568123d21c515aa49ebece

SHA512
188f13a4ab58dbc34ef04ba3abd2e7fad53bd28306a65ee2eb4164fb05a7646e30ef3f80a126e5ec460a711faadc181c3fa023adf1bc4b176bcb732efae66344

Download Submit
C:\Windows\Globalization\Time Zone\skibnidi.bat

Filesize
90B

MD5
80ce921d39b0c2739e3edca44fcf253c

SHA1
9261684c7ab28979d40656ae0bc42f73200509cc

SHA256
40a74428be51efaf4f65f27312fc3e8946338817b7a07d67b12fd7b837bdb546

SHA512
1a085b4633a221c4dd312b13524823dc98b1851ece5b8d90392108563767ed741eb982948ae6ba92815a579313c839b80b4c84fe0752212744e7d127781e10e7

Download Submit
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe

Filesize
379KB

MD5
91a31f23f3e50bd0a722e605687aed1e

SHA1
f56fa26aaccdd6eb3f1ea53f06674b01327cd7c4

SHA256
818d6d87d0facc03354bf7b0748467cf61040031248ba8b46045ed9dbe4053d8

SHA512
649ee112c0e9d0c63c199f0dee84332f915af336dd7ad0ff70cbd49cc148c832182ff748c67fe1dee958215ea4a095545d1a93fdeb90fbdeb6f98076b499aab0

Download Submit
C:\Windows\IME\2.exe

Filesize
121KB

MD5
00047e72bb99132267a4bec3158917a2

SHA1
caf72159dba3bf2af1e6f68cbcbbab7b981a4f0e

SHA256
e4f0fa3c70a4c20e7f79ac8e0c0c7b3e58e97a8e9d42274d51a54ebf9e8da5e4

SHA512
7f573d3a8a68a491c45009ce1beabc8280ccf50e10048b019146e28892c8bf3e90519721682dec5a53aa2c623af952c9957da3cf5338cded801fc7dedce99dc5

Download Submit
memory/724-9-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/724-10-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/724-11-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/724-12-0x0000000005020000-0x000000000502A000-memory.dmp

Filesize
40KB

Download
memory/724-16-0x0000000005AE0000-0x0000000005CF4000-memory.dmp

Filesize
2.1MB

Download
memory/724-17-0x0000000008800000-0x000000000883C000-memory.dmp

Filesize
240KB

Download
memory/724-8-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/724-21-0x00000000093E0000-0x0000000009530000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads