agenttesla | fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096

Analysis

max time kernel
91s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe
Size

924KB
MD5

e3d9142bc972b5c18cf65055d754730e
SHA1

9a901d247c4d70d427bc2361aa7ecf187754aaed
SHA256

fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096
SHA512

d4e5611347aafcc2b2ce1a9101f3c60ea1b4f839014fcdeea08aa3fe48291e48eacfa274514622477340a0f1722dfde00e17fabd3970dc305dc55d7163f9fb81
SSDEEP

24576:uRmJkcoQricOIQxiZY1iaCWKqSJfB480u10tc2n:7JZoQrbTFZY1iaCWopUu12n

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5004 set thread context of 3708	5004	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3708	RegSvcs.exe
3708	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2624	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe
5004	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2624	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe
2624	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe
5004	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe
5004	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2624	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe
2624	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe
5004	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe
5004	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 3548	2624	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe	86
PID 2624 wrote to memory of 3548	2624	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe	86
PID 2624 wrote to memory of 3548	2624	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe	86
PID 2624 wrote to memory of 5004	2624	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe	87
PID 2624 wrote to memory of 5004	2624	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe	87
PID 2624 wrote to memory of 5004	2624	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe	87
PID 5004 wrote to memory of 3708	5004	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe	88
PID 5004 wrote to memory of 3708	5004	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe	88
PID 5004 wrote to memory of 3708	5004	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe	88
PID 5004 wrote to memory of 3708	5004	fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe	88

C:\Users\Admin\AppData\Local\Temp\fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe
"C:\Users\Admin\AppData\Local\Temp\fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe"
  2⤵
  PID:3548
- C:\Users\Admin\AppData\Local\Temp\fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe
  "C:\Users\Admin\AppData\Local\Temp\fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\fc62e1f8a06c83ac2f02300784042f52a8f071466843f9946724ff6f99ebc096.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\adstipulator

Filesize
263KB

MD5
c6ecc83dc05128f90fd21ccff8e1051e

SHA1
76882218313a49bd41b8bbfba863e5f6915dab79

SHA256
991ee9900c3f80633c53f46199c2afcf754f355cd56f02705b5ab171937ca19c

SHA512
3553208d5fc6afb13c547a617b7305015587c7a0c34256138f8ebe7e4382184c28326fef080764e799138ba85d7eb3e19efcfac57b69a1d6116733661c7fd877

Download Submit
C:\Users\Admin\AppData\Local\Temp\thixophobia

Filesize
140KB

MD5
b40544bcde92db4ebf377847d2154842

SHA1
847a95afbaa2b98eb5f2a32cf171baa1c204036a

SHA256
b7ea4dd59f92a21895f9e9075f84646cb40ebcac60e341e6fbff73836b3162c1

SHA512
4693fcbba67fdbe18b0d7e60959eb4d67e828a480f7efb060e1d8bb586fe79c31979d4141a0d1b03736ab4db292fd6cdc018d629ec7b63e101463f54d5ee704f

Download Submit
memory/2624-11-0x0000000003300000-0x0000000003400000-memory.dmp

Filesize
1024KB

Download
memory/3708-26-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3708-28-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3708-29-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3708-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3708-30-0x000000007417E000-0x000000007417F000-memory.dmp

Filesize
4KB

Download
memory/3708-31-0x0000000005480000-0x00000000054D6000-memory.dmp

Filesize
344KB

Download
memory/3708-32-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3708-33-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3708-34-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/3708-35-0x0000000005510000-0x0000000005564000-memory.dmp

Filesize
336KB

Download
memory/3708-73-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-95-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-93-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-91-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-89-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-87-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-85-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-83-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-81-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-79-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-77-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-75-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-71-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-70-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-67-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-65-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-61-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-60-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-57-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-55-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-51-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-49-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-45-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-43-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-41-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-36-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-63-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-53-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-47-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-39-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-37-0x0000000005510000-0x000000000555E000-memory.dmp

Filesize
312KB

Download
memory/3708-1104-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/3708-1105-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3708-1106-0x0000000006B70000-0x0000000006BC0000-memory.dmp

Filesize
320KB

Download
memory/3708-1107-0x0000000006C60000-0x0000000006CF2000-memory.dmp

Filesize
584KB

Download
memory/3708-1108-0x0000000006BF0000-0x0000000006BFA000-memory.dmp

Filesize
40KB

Download
memory/3708-1109-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3708-1110-0x000000007417E000-0x000000007417F000-memory.dmp

Filesize
4KB

Download
memory/3708-1111-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/5004-25-0x0000000002FA0000-0x00000000030A0000-memory.dmp

Filesize
1024KB

Download