agenttesla | 91d32b713114fac7d89f9b5f6fdadc3e6d6c00f61d2c6f3ae31ba22af9583441

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/12/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc02417120024.exe
Size

950KB
MD5

bd28f9a835c67ce45b3a3ca02f6737a2
SHA1

16dc478690c24f29b52186f0ed8c152007fdbaeb
SHA256

2f089d43e47839f07590fc97fbd2bbe91f08ff02d50b3a6b7fe68f3e1a81026d
SHA512

c811d48001aade05a917e89770277a0af0a5f10639c1dd63c66d99728650c877d74f843ab4c9f57847f1654fe7240606072c51383a90811ec6aeb62ee91e2290
SSDEEP

12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aCBWGvAbhGCPvkK3X1rGs2:uRmJkcoQricOIQxiZY1iaCBtvgvLdG9J

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 2200	2128	doc02417120024.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doc02417120024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2200	RegSvcs.exe
2200	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2128	doc02417120024.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2200	2128	doc02417120024.exe	31
PID 2128 wrote to memory of 2200	2128	doc02417120024.exe	31
PID 2128 wrote to memory of 2200	2128	doc02417120024.exe	31
PID 2128 wrote to memory of 2200	2128	doc02417120024.exe	31
PID 2128 wrote to memory of 2200	2128	doc02417120024.exe	31
PID 2128 wrote to memory of 2200	2128	doc02417120024.exe	31
PID 2128 wrote to memory of 2200	2128	doc02417120024.exe	31
PID 2128 wrote to memory of 2200	2128	doc02417120024.exe	31

C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe
"C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\niellists

Filesize
263KB

MD5
2d4142656f20e40ebcbb93ce8e567a0d

SHA1
13f8557b225fa9d6ebb32ee4df65e13ed11c602a

SHA256
1e73812a841938226b643b351f2681fa7c97a1cfe7e24d2a5e54aa43bb822ec6

SHA512
331d89c906c088216494162e896a79c80b7983861970a5c803dfcffb13e3826014b4c84b08333cfa4ac64e7a031632e7d3950acae800498acdff5d1097375acb

Download Submit
memory/2128-6-0x00000000002A0000-0x00000000002A4000-memory.dmp

Filesize
16KB

Download
memory/2200-7-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2200-9-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2200-10-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2200-11-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/2200-12-0x0000000000B50000-0x0000000000BA6000-memory.dmp

Filesize
344KB

Download
memory/2200-13-0x0000000000D90000-0x0000000000DE4000-memory.dmp

Filesize
336KB

Download
memory/2200-14-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2200-15-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2200-69-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-75-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-122-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2200-73-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-71-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-67-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-65-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-63-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-61-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-59-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-57-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-55-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-53-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-49-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-47-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-46-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-43-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-41-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-39-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-37-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-35-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-33-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-31-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-29-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-27-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-23-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-21-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-19-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-17-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-16-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-51-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-25-0x0000000000D90000-0x0000000000DDE000-memory.dmp

Filesize
312KB

Download
memory/2200-1085-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2200-1086-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2200-1087-0x000000007440E000-0x000000007440F000-memory.dmp

Filesize
4KB

Download
memory/2200-1088-0x0000000074400000-0x0000000074AEE000-memory.dmp

Filesize
6.9MB

Download