agenttesla | 7a112707b36ddcf967cc1e7f0bc161235c66f1b500c5e50ac965ded2d6510a8d

Analysis

max time kernel
115s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zara+Perm_new.zip
Size

1.2MB
MD5

e8456131ab377ae61e38f19ce4840562
SHA1

baeb4172af9550de15741492c161899ac1a4cfe9
SHA256

7a112707b36ddcf967cc1e7f0bc161235c66f1b500c5e50ac965ded2d6510a8d
SHA512

7477f4829e844ce11c6cfffb457892112ae54be658219bf5a44fbb3f5074be40d99225148f378f668108af73e9a2e1bce0cbb7608e561add86ac832931f1dad5
SSDEEP

24576:wzH27W1IP/f7Ujewe0R1r64bVwxgaOysqN/lsOuh7rQCzwWV1D:wj261IPXMew7rVbSjJN/lsOesWH

Score

10^/10

agenttesla discovery evasion execution keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234e8-13.dat	family_agenttesla
behavioral2/memory/1816-16-0x0000000005260000-0x0000000005474000-memory.dmp	family_agenttesla

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hdOAxCewhITivJnjeXgRIbfjSuQz\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\hdOAxCewhITivJnjeXgRIbfjSuQz"	2.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Lucky.exe

Executes dropped EXE 19 IoCs

pid	Process
1816	Lucky.exe
2452	winxsrcsv64.exe
2916	winxsrcsv64.exe
5092	winxsrcsv64.exe
3692	winxsrcsv64.exe
4808	winxsrcsv64.exe
1868	winxsrcsv64.exe
1612	winxsrcsv64.exe
4192	winxsrcsv64.exe
1212	winxsrcsv64.exe
1300	winxsrcsv64.exe
3708	winxsrcsv64.exe
3540	winxsrcsv64.exe
4648	winxsrcsv64.exe
3044	winxsrcsv64.exe
1492	winxsrcsv64.exe
2256	winxsrcsv64.exe
872	2.exe
860	2.exe

Loads dropped DLL 4 IoCs

pid	Process
1816	Lucky.exe
1816	Lucky.exe
1816	Lucky.exe
1816	Lucky.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\Time Zone\winxsrcsv64.sys	Lucky.exe
File created	C:\Windows\Globalization\Time Zone\winxsrcsv64.exe	Lucky.exe
File created	C:\Windows\Globalization\Time Zone\iqvw64e.sys	Lucky.exe
File created	C:\Windows\Globalization\Time Zone\skibnidi.bat	Lucky.exe
File created	C:\Windows\IME\1.sys	Lucky.exe
File created	C:\Windows\IME\2.exe	Lucky.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1288	sc.exe
4400	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lucky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Lucky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Lucky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Lucky.exe

Runs net.exe

Suspicious behavior: LoadsDriver 17 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
872	2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2652	7zG.exe
Token: 35	2652	7zG.exe
Token: SeSecurityPrivilege	2652	7zG.exe
Token: SeSecurityPrivilege	2652	7zG.exe
Token: SeDebugPrivilege	1816	Lucky.exe
Token: SeLoadDriverPrivilege	872	2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2652	7zG.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2452	1816	Lucky.exe	101
PID 1816 wrote to memory of 2452	1816	Lucky.exe	101
PID 1816 wrote to memory of 2916	1816	Lucky.exe	103
PID 1816 wrote to memory of 2916	1816	Lucky.exe	103
PID 1816 wrote to memory of 5092	1816	Lucky.exe	105
PID 1816 wrote to memory of 5092	1816	Lucky.exe	105
PID 1816 wrote to memory of 3692	1816	Lucky.exe	107
PID 1816 wrote to memory of 3692	1816	Lucky.exe	107
PID 1816 wrote to memory of 4808	1816	Lucky.exe	109
PID 1816 wrote to memory of 4808	1816	Lucky.exe	109
PID 1816 wrote to memory of 1868	1816	Lucky.exe	111
PID 1816 wrote to memory of 1868	1816	Lucky.exe	111
PID 1816 wrote to memory of 1612	1816	Lucky.exe	113
PID 1816 wrote to memory of 1612	1816	Lucky.exe	113
PID 1816 wrote to memory of 4192	1816	Lucky.exe	115
PID 1816 wrote to memory of 4192	1816	Lucky.exe	115
PID 1816 wrote to memory of 1212	1816	Lucky.exe	117
PID 1816 wrote to memory of 1212	1816	Lucky.exe	117
PID 1816 wrote to memory of 1300	1816	Lucky.exe	119
PID 1816 wrote to memory of 1300	1816	Lucky.exe	119
PID 1816 wrote to memory of 3708	1816	Lucky.exe	121
PID 1816 wrote to memory of 3708	1816	Lucky.exe	121
PID 1816 wrote to memory of 3540	1816	Lucky.exe	123
PID 1816 wrote to memory of 3540	1816	Lucky.exe	123
PID 1816 wrote to memory of 4648	1816	Lucky.exe	125
PID 1816 wrote to memory of 4648	1816	Lucky.exe	125
PID 1816 wrote to memory of 3044	1816	Lucky.exe	127
PID 1816 wrote to memory of 3044	1816	Lucky.exe	127
PID 1816 wrote to memory of 1492	1816	Lucky.exe	129
PID 1816 wrote to memory of 1492	1816	Lucky.exe	129
PID 1816 wrote to memory of 2256	1816	Lucky.exe	131
PID 1816 wrote to memory of 2256	1816	Lucky.exe	131
PID 1816 wrote to memory of 3112	1816	Lucky.exe	133
PID 1816 wrote to memory of 3112	1816	Lucky.exe	133
PID 1816 wrote to memory of 3112	1816	Lucky.exe	133
PID 3112 wrote to memory of 2652	3112	cmd.exe	135
PID 3112 wrote to memory of 2652	3112	cmd.exe	135
PID 3112 wrote to memory of 2652	3112	cmd.exe	135
PID 2652 wrote to memory of 1252	2652	net.exe	136
PID 2652 wrote to memory of 1252	2652	net.exe	136
PID 2652 wrote to memory of 1252	2652	net.exe	136
PID 3112 wrote to memory of 2564	3112	cmd.exe	137
PID 3112 wrote to memory of 2564	3112	cmd.exe	137
PID 3112 wrote to memory of 2564	3112	cmd.exe	137
PID 2564 wrote to memory of 2800	2564	net.exe	138
PID 2564 wrote to memory of 2800	2564	net.exe	138
PID 2564 wrote to memory of 2800	2564	net.exe	138
PID 3112 wrote to memory of 1288	3112	cmd.exe	140
PID 3112 wrote to memory of 1288	3112	cmd.exe	140
PID 3112 wrote to memory of 1288	3112	cmd.exe	140
PID 3112 wrote to memory of 4400	3112	cmd.exe	141
PID 3112 wrote to memory of 4400	3112	cmd.exe	141
PID 3112 wrote to memory of 4400	3112	cmd.exe	141
PID 1816 wrote to memory of 872	1816	Lucky.exe	143
PID 1816 wrote to memory of 872	1816	Lucky.exe	143
PID 1816 wrote to memory of 3428	1816	Lucky.exe	145
PID 1816 wrote to memory of 3428	1816	Lucky.exe	145
PID 1816 wrote to memory of 3428	1816	Lucky.exe	145
PID 3428 wrote to memory of 860	3428	cmd.exe	147
PID 3428 wrote to memory of 860	3428	cmd.exe	147

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Zara+Perm_new.zip
1⤵
PID:4124

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4452

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Zara+Perm_new\" -spe -an -ai#7zMap25042:84:7zEvent1623
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2652

C:\Users\Admin\Desktop\Zara+Perm_new\Lucky.exe
"C:\Users\Admin\Desktop\Zara+Perm_new\Lucky.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SU AUTO
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /BS JO6FPX6RIMZ5DN91
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CS JO6FPX6RIMZ5DN91
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SS JO6FPX6RIMZ5DN91
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SM "System manufacturer"
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SP "System Product Name"
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SV "System Version"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SK "SKU"
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /BT "Default string"
  2⤵
  - Executes dropped EXE
  PID:1212
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /BLC "Default string"
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CM "Default string"
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CV "Default string"
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CA "Default string"
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CSK "Default string"
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SF "To be filled by O.E.M."
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /PSN JO6FPX6RIMZ5DN91
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Globalization\Time Zone\skibnidi.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\SysWOW64\net.exe
    net stop winmgmt /y
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      System Location Discovery: System Language Discovery
      PID:1252
- - C:\Windows\SysWOW64\net.exe
    net start winmgmt /y
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start winmgmt /y
      4⤵
      System Location Discovery: System Language Discovery
      PID:2800
- - C:\Windows\SysWOW64\sc.exe
    sc stop winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1288
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4400
- C:\Windows\IME\2.exe
  "C:\Windows\IME\2.exe" C:\Windows\IME\1.sys
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C C:\Windows\IME\2.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Windows\IME\2.exe
    C:\Windows\IME\2.exe
    3⤵
    - Executes dropped EXE
    PID:860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:5004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Zara+Perm_new\Bunifu.UI.WinForms.dll

Filesize
1.3MB

MD5
7bbf428fb683748a73594b9791a39f96

SHA1
341d30a12cbbd2e8c654fb1ddc382017ac83b2c2

SHA256
a870923034e7f135a4e34a3192c39fea8bf2f8f6a82e700b547101245e5f9de9

SHA512
1770ee20d88f83cfe343800a4dbc95eff0c9c253e2f42cd4d52baac959e1c8385c1c208610b10eeb96782283010ecc36d51ecce9bb815d3ee480024936327c58

Download Submit
C:\Users\Admin\Desktop\Zara+Perm_new\Guna.UI2.dll

Filesize
2.1MB

MD5
278752062981db6fe27ba55f5099b8ae

SHA1
8446637986cf4a24e9135ee5c54f3170600e1e83

SHA256
538e6ca6001d609e251f88243409a2cbc9bc0517751843e76485a2c335e7829b

SHA512
142ff82ca90ca63a6a854e866615d742b585c102e8c4de5c773edeb1ac30c2cc2f6bcb190da394e4aadb4ef9518d194d99904463d6e952170d2924b16fcb00a5

Download Submit
C:\Users\Admin\Desktop\Zara+Perm_new\Lucky.exe

Filesize
73KB

MD5
6060c973b6b54b2056b923321fd38863

SHA1
87e4e3d5809d484004801c385172917edca5f4bf

SHA256
be05a8041e8d77bb4f791b3c1aa0fe4522fa7aeff07516025bbce0c4e5b129cb

SHA512
76486f0a76a9943f2ac3260f011319388659371c43599933f766c050c82f8ce2329d629067390a1b928ced96ef23605962d23f65a0354583b2a87d72b33b7750

Download Submit
C:\Windows\Globalization\Time Zone\skibnidi.bat

Filesize
90B

MD5
80ce921d39b0c2739e3edca44fcf253c

SHA1
9261684c7ab28979d40656ae0bc42f73200509cc

SHA256
40a74428be51efaf4f65f27312fc3e8946338817b7a07d67b12fd7b837bdb546

SHA512
1a085b4633a221c4dd312b13524823dc98b1851ece5b8d90392108563767ed741eb982948ae6ba92815a579313c839b80b4c84fe0752212744e7d127781e10e7

Download Submit
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe

Filesize
379KB

MD5
91a31f23f3e50bd0a722e605687aed1e

SHA1
f56fa26aaccdd6eb3f1ea53f06674b01327cd7c4

SHA256
818d6d87d0facc03354bf7b0748467cf61040031248ba8b46045ed9dbe4053d8

SHA512
649ee112c0e9d0c63c199f0dee84332f915af336dd7ad0ff70cbd49cc148c832182ff748c67fe1dee958215ea4a095545d1a93fdeb90fbdeb6f98076b499aab0

Download Submit
C:\Windows\IME\2.exe

Filesize
121KB

MD5
00047e72bb99132267a4bec3158917a2

SHA1
caf72159dba3bf2af1e6f68cbcbbab7b981a4f0e

SHA256
e4f0fa3c70a4c20e7f79ac8e0c0c7b3e58e97a8e9d42274d51a54ebf9e8da5e4

SHA512
7f573d3a8a68a491c45009ce1beabc8280ccf50e10048b019146e28892c8bf3e90519721682dec5a53aa2c623af952c9957da3cf5338cded801fc7dedce99dc5

Download Submit
memory/1816-9-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/1816-10-0x0000000004DD0000-0x0000000004E62000-memory.dmp

Filesize
584KB

Download
memory/1816-11-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1816-12-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

Filesize
40KB

Download
memory/1816-16-0x0000000005260000-0x0000000005474000-memory.dmp

Filesize
2.1MB

Download
memory/1816-17-0x0000000008680000-0x00000000086BC000-memory.dmp

Filesize
240KB

Download
memory/1816-8-0x0000000000380000-0x0000000000398000-memory.dmp

Filesize
96KB

Download
memory/1816-21-0x000000000A6F0000-0x000000000A840000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads