agenttesla | 9404c7a99bcdde02f50e378d1dffad170426af7c1c5c545b2f6fd57de48ffad5

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware/vbc2.exe
Size

265KB
MD5

aad8885345c5d145c8cb22292332fb38
SHA1

b7c01db77c5cd491bee82e125d4783175a1f73b7
SHA256

0007c9f7203e80c87042d5b4ae3208bf3adf66657c65e02ef6136c5b18ee3bcb
SHA512

70bd8402767b7c7ca1fce5f737e5fff44dda0ebf5a81f1465589dfe5179bc17d82009f771157d2003bf22f7d5582f90330f1159d9d464c90dceeff503e568f09
SSDEEP

6144:HNeZmORhwi08GOs8RuAR3F7saaLIcscJY6pYQsFle2ujpLiFAD:HNlchakNRJKTsN6pYbFlgt7D

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

AgentTesla payload 4 IoCs

Processes:

resource	yara_rule
behavioral21/memory/2332-15-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla
behavioral21/memory/2332-18-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla
behavioral21/memory/2332-19-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla
behavioral21/memory/2332-20-0x0000000000400000-0x000000000044B000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

ioatgumevw.exeioatgumevw.exe

pid process

3056 ioatgumevw.exe
2332 ioatgumevw.exe
Loads dropped DLL 5 IoCs

Processes:

vbc2.exeioatgumevw.exedw20.exe

pid process

2360 vbc2.exe
2360 vbc2.exe
3056 ioatgumevw.exe
1244 dw20.exe
1244 dw20.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ioatgumevw.exe

description pid process target process

PID 3056 set thread context of 2332 3056 ioatgumevw.exe ioatgumevw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3056	ioatgumevw.exe
2332	ioatgumevw.exe

pid	process
2360	vbc2.exe
2360	vbc2.exe
3056	ioatgumevw.exe
1244	dw20.exe
1244	dw20.exe

description	pid	process	target process
PID 3056 set thread context of 2332	3056	ioatgumevw.exe	ioatgumevw.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc2.exeioatgumevw.exeioatgumevw.exedw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ioatgumevw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ioatgumevw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ioatgumevw.exe

pid process

2332 ioatgumevw.exe
2332 ioatgumevw.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ioatgumevw.exe

description pid process

Token: SeDebugPrivilege 2332 ioatgumevw.exe

pid	process
2332	ioatgumevw.exe
2332	ioatgumevw.exe

description	pid	process
Token: SeDebugPrivilege	2332	ioatgumevw.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

vbc2.exeioatgumevw.exeioatgumevw.exe

description	pid	process	target process
PID 2360 wrote to memory of 3056	2360	vbc2.exe	ioatgumevw.exe
PID 2360 wrote to memory of 3056	2360	vbc2.exe	ioatgumevw.exe
PID 2360 wrote to memory of 3056	2360	vbc2.exe	ioatgumevw.exe
PID 2360 wrote to memory of 3056	2360	vbc2.exe	ioatgumevw.exe
PID 3056 wrote to memory of 2332	3056	ioatgumevw.exe	ioatgumevw.exe
PID 3056 wrote to memory of 2332	3056	ioatgumevw.exe	ioatgumevw.exe
PID 3056 wrote to memory of 2332	3056	ioatgumevw.exe	ioatgumevw.exe
PID 3056 wrote to memory of 2332	3056	ioatgumevw.exe	ioatgumevw.exe
PID 3056 wrote to memory of 2332	3056	ioatgumevw.exe	ioatgumevw.exe
PID 3056 wrote to memory of 2332	3056	ioatgumevw.exe	ioatgumevw.exe
PID 3056 wrote to memory of 2332	3056	ioatgumevw.exe	ioatgumevw.exe
PID 3056 wrote to memory of 2332	3056	ioatgumevw.exe	ioatgumevw.exe
PID 3056 wrote to memory of 2332	3056	ioatgumevw.exe	ioatgumevw.exe
PID 3056 wrote to memory of 2332	3056	ioatgumevw.exe	ioatgumevw.exe
PID 3056 wrote to memory of 2332	3056	ioatgumevw.exe	ioatgumevw.exe
PID 2332 wrote to memory of 1244	2332	ioatgumevw.exe	dw20.exe
PID 2332 wrote to memory of 1244	2332	ioatgumevw.exe	dw20.exe
PID 2332 wrote to memory of 1244	2332	ioatgumevw.exe	dw20.exe
PID 2332 wrote to memory of 1244	2332	ioatgumevw.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\malware\vbc2.exe
"C:\Users\Admin\AppData\Local\Temp\malware\vbc2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\ioatgumevw.exe
  C:\Users\Admin\AppData\Local\Temp\ioatgumevw.exe C:\Users\Admin\AppData\Local\Temp\kghzkpgyin
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\ioatgumevw.exe
    C:\Users\Admin\AppData\Local\Temp\ioatgumevw.exe C:\Users\Admin\AppData\Local\Temp\kghzkpgyin
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 520
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7yk8h1szdi

Filesize
284KB

MD5
c0fcdf6c83060610bfd06a232dbce163

SHA1
aeaa28e293eba2347e1a29608cb41f4646cd92f6

SHA256
9f8d2ff465ce5caba6ade5e7dbfd5a349980ccaf780412aaa8e2685ba88bb31f

SHA512
d2ab68ee32efb8c1c5614e7d8a47728f097e8f7a30ede3c5c5d805ba2c20ed7bbd8cb5242c12de852b23fb5d52ded82058fb1cbbc211bfe027b3b4aad352b78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kghzkpgyin

Filesize
5KB

MD5
cbac7f599beb8247e95dd1ba7a84636e

SHA1
cc8fec2fba79fa494d8fb41dc1fea3d8a18343f2

SHA256
cbb92fe48e868dd2bf0138d48faa7e6573340928d5e253ed93599aa357a2d0e3

SHA512
5494afa3bd99f09574420e535e8b584bf21a56d3e4cea58668a2efa5ba623cc7f971a3dd6f905737b9ab30d6af0bc50bc7e6f2aef7f9e5086cdf3808b9ca1a35

Download Submit
\Users\Admin\AppData\Local\Temp\ioatgumevw.exe

Filesize
4KB

MD5
f88371b8ec4dc631943fe54a227707dc

SHA1
a127b7a645f9468105a31109a3572960004a7316

SHA256
6ea31176202a06bbfd787b91c64c8ac55cd8e2c817e37d556576133334a3614b

SHA512
b4d04bf47e643845e97da626f62dcd5ac3611508300769bb2840fbde88ecbc2229cadd0ef3b2b50ab36042e9e31c71211e4d335871f15840ec5aa3bd5244c1ef

Download Submit
memory/2332-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2332-18-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2332-19-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2332-20-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3056-11-0x0000000000220000-0x0000000000222000-memory.dmp

Filesize
8KB

Download