Overview

overview

10

Static

static

3

4aea573eeb...c2.exe

windows7-x64

3

4aea573eeb...c2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/10/2024, 01:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4aea573eeb1ef07b8186fc10089dd972303f2ca89c5758932edff01dbb6203c2.exe

  • Size

    2.8MB

  • MD5

    05aae520bbc216edc07abeb07c5f763e

  • SHA1

    38fc6fb1076e9cce368b55ef4491652384209560

  • SHA256

    4aea573eeb1ef07b8186fc10089dd972303f2ca89c5758932edff01dbb6203c2

  • SHA512

    b3bbec0d5a04beb2ec108638b7509bd6741542ddec2b53138983cafc41c9bb5192492838cfa97360c9726edc0535b817a5c5da277a342813615f6c8989305b86

  • SSDEEP

    24576:nC6uNvi15kGX4QnksdqJySDJB37yxYJaKBd021ut+yOCc3BtxqSVVg6vB7uXeXd:fOXXvoEm0TucvJ9CDT2uEDmAEx

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3440
      • C:\Users\Admin\AppData\Local\Temp\4aea573eeb1ef07b8186fc10089dd972303f2ca89c5758932edff01dbb6203c2.exe
        "C:\Users\Admin\AppData\Local\Temp\4aea573eeb1ef07b8186fc10089dd972303f2ca89c5758932edff01dbb6203c2.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4612
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4920

    Network

    • flag-us
      DNS
      wymascensores.com
      4aea573eeb1ef07b8186fc10089dd972303f2ca89c5758932edff01dbb6203c2.exe
      Remote address:
      8.8.8.8:53
      Request
      wymascensores.com
      IN A
      Response
      wymascensores.com
      IN A
      67.212.175.162
    • flag-us
      GET
      https://wymascensores.com/mandas/Mjvzchsck.vdf
      4aea573eeb1ef07b8186fc10089dd972303f2ca89c5758932edff01dbb6203c2.exe
      Remote address:
      67.212.175.162:443
      Request
      GET /mandas/Mjvzchsck.vdf HTTP/1.1
      Host: wymascensores.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Tue, 08 Oct 2024 02:25:09 GMT
      Server: Apache
      Last-Modified: Fri, 04 Oct 2024 06:46:57 GMT
      Accept-Ranges: bytes
      Content-Length: 958472
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      133.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      162.175.212.67.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      162.175.212.67.in-addr.arpa
      IN PTR
      Response
      162.175.212.67.in-addr.arpa
      IN PTR
      crystalsuperdomainzonecom
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=2F0DB6EB0C2961513214A3F90D2F6078; domain=.bing.com; expires=Sun, 02-Nov-2025 02:25:09 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 1BF345A43AF84C6090E52B044FFA3B0D Ref B: LON601060107023 Ref C: 2024-10-08T02:25:09Z
      date: Tue, 08 Oct 2024 02:25:09 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2F0DB6EB0C2961513214A3F90D2F6078
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=jN2vGNYt8dXnjt4ik3PtPFaJEJWq67tR19E-AygUKvw; domain=.bing.com; expires=Sun, 02-Nov-2025 02:25:09 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: EFF50C67028A445CA72389627D1C2039 Ref B: LON601060107023 Ref C: 2024-10-08T02:25:09Z
      date: Tue, 08 Oct 2024 02:25:09 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2F0DB6EB0C2961513214A3F90D2F6078; MSPTC=jN2vGNYt8dXnjt4ik3PtPFaJEJWq67tR19E-AygUKvw
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: F502D1152CDE4D6AB0D7CA389F47A167 Ref B: LON601060107023 Ref C: 2024-10-08T02:25:09Z
      date: Tue, 08 Oct 2024 02:25:09 GMT
    • flag-us
      DNS
      58.99.105.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.99.105.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      83.210.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.210.23.2.in-addr.arpa
      IN PTR
      Response
      83.210.23.2.in-addr.arpa
      IN PTR
      a2-23-210-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • 67.212.175.162:443
      https://wymascensores.com/mandas/Mjvzchsck.vdf
      tls, http
      4aea573eeb1ef07b8186fc10089dd972303f2ca89c5758932edff01dbb6203c2.exe
      23.8kB
       994.3kB
       464
      721

      HTTP Request

      GET https://wymascensores.com/mandas/Mjvzchsck.vdf

      HTTP Response

      200
    • 150.171.27.10:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=
      tls, http2
      2.0kB
       9.4kB
       22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=a2d507f8600c4302b1cad9168d83f481&localId=w:0C449796-1E55-FEFD-C5A5-A0B044A63D2B&deviceId=6896208601980624&anid=

      HTTP Response

      204
    • 8.8.8.8:53
      wymascensores.com
      dns
      4aea573eeb1ef07b8186fc10089dd972303f2ca89c5758932edff01dbb6203c2.exe
      63 B
       79 B
       1
      1

      DNS Request

      wymascensores.com

      DNS Response

      67.212.175.162

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       148 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.27.10
      150.171.28.10

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      133.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      133.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      162.175.212.67.in-addr.arpa
      dns
      73 B
       114 B
       1
      1

      DNS Request

      162.175.212.67.in-addr.arpa

    • 8.8.8.8:53
      58.99.105.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      58.99.105.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      83.210.23.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      83.210.23.2.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4612-0-0x000000007484E000-0x000000007484F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4612-1-0x0000000000B10000-0x0000000000DE2000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/4612-2-0x0000000074840000-0x0000000074FF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4612-3-0x00000000062B0000-0x00000000063A0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4612-19-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-21-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-55-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-67-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-65-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-63-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-61-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-59-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-57-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-51-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-49-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-47-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-45-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-43-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-41-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-37-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-33-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-31-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-29-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-27-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-25-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-23-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-17-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-15-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-13-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-11-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-9-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-53-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-7-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-39-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-35-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-5-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-4-0x00000000062B0000-0x000000000639A000-memory.dmp

      Filesize

      936KB

      Download

    • memory/4612-1078-0x0000000074840000-0x0000000074FF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4612-1079-0x00000000064B0000-0x000000000651A000-memory.dmp

      Filesize

      424KB

      Download

    • memory/4612-1080-0x00000000063E0000-0x000000000642C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4612-1084-0x0000000074840000-0x0000000074FF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4612-1085-0x0000000074840000-0x0000000074FF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4612-1086-0x0000000074840000-0x0000000074FF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4612-1087-0x0000000006E80000-0x0000000007424000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4612-1088-0x00000000068D0000-0x0000000006924000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4612-1091-0x0000000074840000-0x0000000074FF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4920-1092-0x0000000074840000-0x0000000074FF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4920-1093-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4920-1094-0x0000000074840000-0x0000000074FF0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4920-1095-0x0000000005450000-0x00000000054B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4920-1096-0x0000000006200000-0x0000000006250000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4920-1097-0x00000000062F0000-0x0000000006382000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4920-1098-0x0000000006270000-0x000000000627A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4920-1099-0x0000000074840000-0x0000000074FF0000-memory.dmp

      Filesize

      7.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.