agenttesla | 91d32b713114fac7d89f9b5f6fdadc3e6d6c00f61d2c6f3ae31ba22af9583441

Analysis

max time kernel
94s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/12/2024, 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc02417120024.exe
Size

950KB
MD5

bd28f9a835c67ce45b3a3ca02f6737a2
SHA1

16dc478690c24f29b52186f0ed8c152007fdbaeb
SHA256

2f089d43e47839f07590fc97fbd2bbe91f08ff02d50b3a6b7fe68f3e1a81026d
SHA512

c811d48001aade05a917e89770277a0af0a5f10639c1dd63c66d99728650c877d74f843ab4c9f57847f1654fe7240606072c51383a90811ec6aeb62ee91e2290
SSDEEP

12288:ehkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4aCBWGvAbhGCPvkK3X1rGs2:uRmJkcoQricOIQxiZY1iaCBtvgvLdG9J

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 3056	2116	doc02417120024.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doc02417120024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doc02417120024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doc02417120024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3056	RegSvcs.exe
3056	RegSvcs.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2872	doc02417120024.exe
3728	doc02417120024.exe
2116	doc02417120024.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4796	2872	doc02417120024.exe	82
PID 2872 wrote to memory of 4796	2872	doc02417120024.exe	82
PID 2872 wrote to memory of 4796	2872	doc02417120024.exe	82
PID 2872 wrote to memory of 3728	2872	doc02417120024.exe	83
PID 2872 wrote to memory of 3728	2872	doc02417120024.exe	83
PID 2872 wrote to memory of 3728	2872	doc02417120024.exe	83
PID 3728 wrote to memory of 516	3728	doc02417120024.exe	84
PID 3728 wrote to memory of 516	3728	doc02417120024.exe	84
PID 3728 wrote to memory of 516	3728	doc02417120024.exe	84
PID 3728 wrote to memory of 2116	3728	doc02417120024.exe	85
PID 3728 wrote to memory of 2116	3728	doc02417120024.exe	85
PID 3728 wrote to memory of 2116	3728	doc02417120024.exe	85
PID 2116 wrote to memory of 3056	2116	doc02417120024.exe	86
PID 2116 wrote to memory of 3056	2116	doc02417120024.exe	86
PID 2116 wrote to memory of 3056	2116	doc02417120024.exe	86
PID 2116 wrote to memory of 3056	2116	doc02417120024.exe	86

C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe
"C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"
  2⤵
  PID:4796
- C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe
  "C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"
    3⤵
    PID:516
- - C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe
    "C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\doc02417120024.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut802C.tmp

Filesize
263KB

MD5
2d4142656f20e40ebcbb93ce8e567a0d

SHA1
13f8557b225fa9d6ebb32ee4df65e13ed11c602a

SHA256
1e73812a841938226b643b351f2681fa7c97a1cfe7e24d2a5e54aa43bb822ec6

SHA512
331d89c906c088216494162e896a79c80b7983861970a5c803dfcffb13e3826014b4c84b08333cfa4ac64e7a031632e7d3950acae800498acdff5d1097375acb

Download Submit
memory/2872-7-0x0000000003320000-0x0000000003324000-memory.dmp

Filesize
16KB

Download
memory/3056-24-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3056-25-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3056-26-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3056-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3056-28-0x0000000005040000-0x0000000005096000-memory.dmp

Filesize
344KB

Download
memory/3056-29-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/3056-30-0x0000000005110000-0x0000000005164000-memory.dmp

Filesize
336KB

Download
memory/3056-68-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-90-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-88-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-86-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-84-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-82-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-80-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-78-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-76-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-74-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-72-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-70-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-66-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-64-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-62-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-60-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-58-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-56-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-54-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-52-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-50-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-48-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-46-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-44-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-42-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-40-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-36-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-34-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-32-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-31-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-38-0x0000000005110000-0x000000000515E000-memory.dmp

Filesize
312KB

Download
memory/3056-1099-0x00000000052D0000-0x0000000005336000-memory.dmp

Filesize
408KB

Download
memory/3056-1100-0x00000000065E0000-0x0000000006630000-memory.dmp

Filesize
320KB

Download
memory/3056-1101-0x00000000066D0000-0x0000000006762000-memory.dmp

Filesize
584KB

Download
memory/3056-1102-0x0000000006660000-0x000000000666A000-memory.dmp

Filesize
40KB

Download
memory/3056-1103-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download