agenttesla | 94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe
Size

1.5MB
MD5

1037805eae48d987a6b8fa7a9957a23d
SHA1

146bf657c81339bb67b15c46d536b587f25975e4
SHA256

94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07
SHA512

5d7f8fdc978306044939e804c528a0bb745d0edbafe713524016fa00797d73f8a1d0fdd0f35daa450f3eedd26d2716f2eaf39f27cc7ee9e04166c973cd3e7b7e
SSDEEP

24576:CAOcZBIhv1RIAhjLoamMiX4lNmZg0YxegPbUIDPPrAhhIpD0wo1B/wGdJunq3o9:IvjLoyEkmZ9Y14EDHo1VwGdJunq3o9

Score

10^/10

agenttesla collection credential_access discovery keylogger persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.serviceconsutant.com
Port:
587
Username:
[email protected]
Password:
wURFDkR4

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012117-5.dat	family_agenttesla

Executes dropped EXE 1 IoCs

pid	Process
1476	keylogger.exe

Loads dropped DLL 5 IoCs

pid	Process
2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe
2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe
2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe
2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe
2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	keylogger.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	keylogger.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	keylogger.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\newapp = "C:\\Users\\Admin\\AppData\\Roaming\\newapp\\newapp.exe"	keylogger.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keylogger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2632	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1476	keylogger.exe
1476	keylogger.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
832	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	keylogger.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
832	AcroRd32.exe
832	AcroRd32.exe
832	AcroRd32.exe
1476	keylogger.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 832	2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe	31
PID 2464 wrote to memory of 832	2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe	31
PID 2464 wrote to memory of 832	2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe	31
PID 2464 wrote to memory of 832	2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe	31
PID 2464 wrote to memory of 1476	2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe	32
PID 2464 wrote to memory of 1476	2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe	32
PID 2464 wrote to memory of 1476	2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe	32
PID 2464 wrote to memory of 1476	2464	94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe	32
PID 1476 wrote to memory of 2632	1476	keylogger.exe	34
PID 1476 wrote to memory of 2632	1476	keylogger.exe	34
PID 1476 wrote to memory of 2632	1476	keylogger.exe	34
PID 1476 wrote to memory of 2632	1476	keylogger.exe	34

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	keylogger.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	keylogger.exe

C:\Users\Admin\AppData\Local\Temp\94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe
"C:\Users\Admin\AppData\Local\Temp\94645e6870be55af9df9f85d09aa0e8864a66989fbffaf02b705764b65f6ef07.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\2020.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:832
- C:\Users\Admin\AppData\Local\Temp\keylogger.exe
  "C:\Users\Admin\AppData\Local\Temp\keylogger.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:1476
- - C:\Windows\SysWOW64\netsh.exe
    "netsh" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2020.pdf

Filesize
348KB

MD5
8785cb30a744d6099f842c5305e83644

SHA1
277e718ba0c509e6a5322b3cc2542d456586d64e

SHA256
168e2da01fedbdd8188421bf9d13c0f07add612d424277cd8a350a6b9428d305

SHA512
7b1808275663d62c410b9627a11a06d442f334b4a1717e2aae83fe11af7424fe196d1036b98ab77c5b1391cfb2fb67a7152c80419b35e15c9282707442d12012

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
87c0147e520d288e9e1dac0ef1733a46

SHA1
500de6888167cf040c85c0f945efb4dd84e3ca99

SHA256
c72b237f2e79008189fdcfbbf155e0e2bbf875f554c4e2fbd37e0ef3a068c65b

SHA512
9a8692fd8552d897bc18c06b492ba816d654aa853e8617b25448af8c9e00100aa466f722227fbf56bd916f21d24d6982bac7d822f3156b4dc2362eb17facfa08

Download Submit
\Users\Admin\AppData\Local\Temp\Keylogger.exe

Filesize
300KB

MD5
bc5967eb5d4c1628b8e627707b05184d

SHA1
86a7dc7081e52fae87715f341058ed0a64c9197d

SHA256
4392c3c2f328ce1d896c7df98673de3f17a27c5e7cdfe4d2b8fc37eddb68c44e

SHA512
d31ec44f5815a133e89994ea9c6681392b61c4a4e58b307c277daf1ad7d2a37b6d9e973d38703efe616620bd2a14662b50897749f445791ee5cadd2bd73626b8

Download Submit