agenttesla | fce13b039c9ad4d7f66e37ccf52e14e1e2182dc1c50a334174139abe13af9f1e

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fce13b039c9ad4d7f66e37ccf52e14e1e2182dc1c50a334174139abe13af9f1e.exe
Size

16.0MB
MD5

abb2a74bc47c2cbf8581064f12dfe894
SHA1

b029052e33cdab649ce31538732074a7fa828a8a
SHA256

fce13b039c9ad4d7f66e37ccf52e14e1e2182dc1c50a334174139abe13af9f1e
SHA512

1ac1b6e9a0eed7a17d7c62f32b52f83c085e2b5865259326ad59ac04413e1669528f56f6878753a8a8f34d1166d131b9f48f82172b50278820913463a2b8e34e
SSDEEP

393216:2Dv9uwkgu5lva7OOtFl4UnqFIJXsPpay:M9xkZMl4i8

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral1/memory/1860-1-0x000000013FF80000-0x0000000140F8A000-memory.dmp	family_agenttesla
behavioral1/memory/1860-2-0x000000001BEE0000-0x000000001C0F4000-memory.dmp	family_agenttesla

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	fce13b039c9ad4d7f66e37ccf52e14e1e2182dc1c50a334174139abe13af9f1e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	fce13b039c9ad4d7f66e37ccf52e14e1e2182dc1c50a334174139abe13af9f1e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	fce13b039c9ad4d7f66e37ccf52e14e1e2182dc1c50a334174139abe13af9f1e.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1860	fce13b039c9ad4d7f66e37ccf52e14e1e2182dc1c50a334174139abe13af9f1e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	fce13b039c9ad4d7f66e37ccf52e14e1e2182dc1c50a334174139abe13af9f1e.exe

C:\Users\Admin\AppData\Local\Temp\fce13b039c9ad4d7f66e37ccf52e14e1e2182dc1c50a334174139abe13af9f1e.exe
"C:\Users\Admin\AppData\Local\Temp\fce13b039c9ad4d7f66e37ccf52e14e1e2182dc1c50a334174139abe13af9f1e.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1860-0-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

Filesize
4KB

Download
memory/1860-1-0x000000013FF80000-0x0000000140F8A000-memory.dmp

Filesize
16.0MB

Download
memory/1860-2-0x000000001BEE0000-0x000000001C0F4000-memory.dmp

Filesize
2.1MB

Download
memory/1860-3-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

Filesize
9.9MB

Download
memory/1860-5-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

Filesize
9.9MB

Download
memory/1860-4-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

Filesize
9.9MB

Download
memory/1860-6-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

Filesize
4KB

Download
memory/1860-7-0x000007FEF5230000-0x000007FEF5C1C000-memory.dmp

Filesize
9.9MB

Download