agenttesla | c05a2d99f15bfc8dc10c8cceb84db95faece377ba0ad38ed882ecba59e1bdcae

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
Size

1.2MB
MD5

5f23c17f4b0f1a42bfe463ee74a92ec9
SHA1

439fa7be32d52c871c737e4b2b97ad93305319e9
SHA256

c05a2d99f15bfc8dc10c8cceb84db95faece377ba0ad38ed882ecba59e1bdcae
SHA512

bc8f5e2c1a53afd026f3105811e3d4c0404dc466bfe2708e64e22ed14fb244475a269d292069808c02e00fab9a9eaffd03d86dbefcd35c5ea73e84739768cce3
SSDEEP

24576:vqDEvCTbMWu7rQYlBQcBiT6rprG8abNJLqSNwa1kCP8NUWg:vTvC/MTQYxsWR7abvl66m

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2904 set thread context of 2348	2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	34

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2348	RegSvcs.exe
2348	RegSvcs.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2828	2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	30
PID 2700 wrote to memory of 2828	2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	30
PID 2700 wrote to memory of 2828	2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	30
PID 2700 wrote to memory of 2828	2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	30
PID 2700 wrote to memory of 2828	2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	30
PID 2700 wrote to memory of 2828	2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	30
PID 2700 wrote to memory of 2828	2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	30
PID 2700 wrote to memory of 2784	2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	31
PID 2700 wrote to memory of 2784	2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	31
PID 2700 wrote to memory of 2784	2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	31
PID 2700 wrote to memory of 2784	2700	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	31
PID 2784 wrote to memory of 468	2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	32
PID 2784 wrote to memory of 468	2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	32
PID 2784 wrote to memory of 468	2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	32
PID 2784 wrote to memory of 468	2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	32
PID 2784 wrote to memory of 468	2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	32
PID 2784 wrote to memory of 468	2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	32
PID 2784 wrote to memory of 468	2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	32
PID 2784 wrote to memory of 2904	2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	33
PID 2784 wrote to memory of 2904	2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	33
PID 2784 wrote to memory of 2904	2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	33
PID 2784 wrote to memory of 2904	2784	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	33
PID 2904 wrote to memory of 2348	2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	34
PID 2904 wrote to memory of 2348	2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	34
PID 2904 wrote to memory of 2348	2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	34
PID 2904 wrote to memory of 2348	2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	34
PID 2904 wrote to memory of 2348	2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	34
PID 2904 wrote to memory of 2348	2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	34
PID 2904 wrote to memory of 2348	2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	34
PID 2904 wrote to memory of 2348	2904	C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe	34

C:\Users\Admin\AppData\Local\Temp\C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
"C:\Users\Admin\AppData\Local\Temp\C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe"
  2⤵
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
  "C:\Users\Admin\AppData\Local\Temp\C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe"
    3⤵
    PID:468
- - C:\Users\Admin\AppData\Local\Temp\C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe
    "C:\Users\Admin\AppData\Local\Temp\C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\C05A2D99F15BFC8DC10C8CCEB84DB95FAECE377BA0AD38ED882ECBA59E1BDCAE.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut4DB3.tmp

Filesize
257KB

MD5
80c7fccddd137a0e3185eda73957e4f8

SHA1
660b4b634a9a20dcb43b209bf724c9a0a3a926e7

SHA256
5d5278ef82936cdae37be1a02fe7af8ef2fadee7a8e212202aee0744f4e98c86

SHA512
705759cdca2ce95505bd2516c35252fb779d28005facd36a11518054572cf187d5faf102aa200834acf60147e9d8db8429dcb62e3b478cdb55cab932a892d161

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut4DC3.tmp

Filesize
42KB

MD5
2f297e11197ead6d873c29590e34d148

SHA1
d594085b53315830e86ee240bad3cd818d4d6032

SHA256
404607bb87788722a9d3d9e3707409ea865b08d35fb89587f59f752ad69dcbf8

SHA512
3905df92c2c217d4a426d9f4f0a8f73c53b70f010c179e2e8bd8e29280737cede1830430c667068dd9125207183321808d8eb8427d50e32eadcf5b0f899cec4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\carryover

Filesize
262KB

MD5
6cec6a9368f0d08f5f4861e1595508b3

SHA1
1883f949575a7387e101d372e00cefbf8b1bb302

SHA256
f71c6cded9397fbb6455fab8b94962cf2c1af1e59036827eecbb7618fe6b250a

SHA512
f32da71ea8d693b84be6d9d6a1f6bba87dca0721e36f7c4d1902f1c98dd60fd58379219e984817e2d109b116f746aa2ea1c312125da909d8f86d9d62e4f19c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\emboweling

Filesize
84KB

MD5
ce40d3e9f4a1898078ecac29995f5292

SHA1
babd5f5caa8bee7472d926c64c1283e9ffab857f

SHA256
afbb4cf115ccfdc367cb68208f5c7ba5d1566b8004749dfc228e67071f342ed4

SHA512
79ffd89ade909d931b4e9168858ebcff871eaa478fa96d461b7e48ae57f222266ae1bf78c624adad5aae59db973a1d74ae9a47f0a50cf38cbd821127998a131c

Download Submit
memory/2348-38-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2348-40-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2348-41-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2348-42-0x00000000741BE000-0x00000000741BF000-memory.dmp

Filesize
4KB

Download
memory/2348-43-0x0000000000450000-0x00000000004A4000-memory.dmp

Filesize
336KB

Download
memory/2348-44-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-47-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-46-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-45-0x00000000020B0000-0x0000000002104000-memory.dmp

Filesize
336KB

Download
memory/2348-49-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-53-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-69-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-107-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-105-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-103-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-1092-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-101-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-99-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-97-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-95-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-93-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-91-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-89-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-87-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-85-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-83-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-81-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-79-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-77-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-75-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-73-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-71-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-67-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-65-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-63-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-61-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-59-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-57-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-55-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-51-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-48-0x00000000020B0000-0x00000000020FD000-memory.dmp

Filesize
308KB

Download
memory/2348-1093-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2348-1094-0x00000000741BE000-0x00000000741BF000-memory.dmp

Filesize
4KB

Download
memory/2348-1095-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/2700-11-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download