agenttesla | bd083c422853ed2a6270fd7be75e3b7f95f128f1496546993c381ac4818f1e99

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15/11/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ESTEEM ASTRO PARTICULARS.pdf.exe
Size

1.1MB
MD5

177433242c915815b6c13dc992a2e82b
SHA1

4ef6d9a9b024d0e43dbb797e90234e768299296c
SHA256

1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf
SHA512

bc0b3b8367ad592f652ba21d8e87899daebc5bdad3ebeddf72331d6ce5269e9df8a6bf81fb409b49325a4648d6f71b087a1f1a45292d63e3185e98fc90c19fc1
SSDEEP

24576:jtb20pkaCqT5TBWgNQ7aIdoXsVfcwhoyVKMQXH6A:gVg5tQ7aIachfhSH5

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1684 set thread context of 2016	1684	ESTEEM ASTRO PARTICULARS.pdf.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ESTEEM ASTRO PARTICULARS.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2016	RegSvcs.exe
2016	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1684	ESTEEM ASTRO PARTICULARS.pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2016	1684	ESTEEM ASTRO PARTICULARS.pdf.exe	30
PID 1684 wrote to memory of 2016	1684	ESTEEM ASTRO PARTICULARS.pdf.exe	30
PID 1684 wrote to memory of 2016	1684	ESTEEM ASTRO PARTICULARS.pdf.exe	30
PID 1684 wrote to memory of 2016	1684	ESTEEM ASTRO PARTICULARS.pdf.exe	30
PID 1684 wrote to memory of 2016	1684	ESTEEM ASTRO PARTICULARS.pdf.exe	30
PID 1684 wrote to memory of 2016	1684	ESTEEM ASTRO PARTICULARS.pdf.exe	30
PID 1684 wrote to memory of 2016	1684	ESTEEM ASTRO PARTICULARS.pdf.exe	30
PID 1684 wrote to memory of 2016	1684	ESTEEM ASTRO PARTICULARS.pdf.exe	30

C:\Users\Admin\AppData\Local\Temp\ESTEEM ASTRO PARTICULARS.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ESTEEM ASTRO PARTICULARS.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\ESTEEM ASTRO PARTICULARS.pdf.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\proximobuccal

Filesize
261KB

MD5
37c8359babb5211ca2026d38a5de9d08

SHA1
286adc5945eb69075f150a2c01d7c0e36d328dac

SHA256
5cad2ca441900ae49aaa98725d963993bec2389af749265bc804011d57aeb8fb

SHA512
1521e3ff9845061b9b7076ee3a32ff1a0b900abcb17b1d2d3d8a798473c70cde0208255f566378dc2b88d606fe40a7c58ceb931cb81a068792779e44482605d6

Download Submit
memory/1684-7-0x0000000000650000-0x0000000000A50000-memory.dmp

Filesize
4.0MB

Download
memory/2016-10-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2016-11-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2016-9-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2016-12-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/2016-13-0x00000000009D0000-0x0000000000A24000-memory.dmp

Filesize
336KB

Download
memory/2016-14-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-15-0x0000000000CA0000-0x0000000000CF2000-memory.dmp

Filesize
328KB

Download
memory/2016-16-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-117-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-76-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-74-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-72-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-70-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-68-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-66-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-64-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-62-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-60-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-56-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-54-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-52-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-50-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-48-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-58-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-46-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-44-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-42-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-40-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-38-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-36-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-34-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-32-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-30-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-28-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-26-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-24-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-22-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-20-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-18-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-17-0x0000000000CA0000-0x0000000000CEC000-memory.dmp

Filesize
304KB

Download
memory/2016-1050-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-1051-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2016-1052-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/2016-1053-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download