agenttesla | e82da29ba80ba9f702db759c4ffb8e755db261421f74a222f9bdb7822999c24c

Analysis

max time kernel
290s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009.vbe
Size

10KB
MD5

9ff77002fbcbdd6e749722541b423034
SHA1

ea5ff219e2dde3cc57a1668ff0526be5b84e1250
SHA256

5b3b169b48056c1cd8b84093c312de2f9ec1c7a1edcd7591743f6eac62c98ab9
SHA512

609f25739f34355e0e37fd244cd743f3442be6cb2518ff9fa0ec58ec5ec103e730d5f005ca86c040a7b3a078d49dd6b2363659085eaecc2de2fd24159da13388
SSDEEP

192:meHNd/sigyXaoMutGV+GCCYSyC+QvdyNhnKxtKlK:5HMiTDV+xnYSH+QVyNhnctKM

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
162.254.34.31
Port:
587
Username:
[email protected]
Password:
M992uew1mw6Z
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	3352	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
76	api.ipify.org
75	api.ipify.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 264	1644	powershell.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1144	WINWORD.EXE
1144	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1644	powershell.exe
1644	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
1644	powershell.exe
1644	powershell.exe
264	MSBuild.exe
264	MSBuild.exe
264	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	264	MSBuild.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1144	WINWORD.EXE
1144	WINWORD.EXE
1144	WINWORD.EXE
1144	WINWORD.EXE
1144	WINWORD.EXE
1144	WINWORD.EXE
1144	WINWORD.EXE
1144	WINWORD.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1644	940	WScript.exe	96
PID 940 wrote to memory of 1644	940	WScript.exe	96
PID 940 wrote to memory of 2280	940	WScript.exe	107
PID 940 wrote to memory of 2280	940	WScript.exe	107
PID 1644 wrote to memory of 264	1644	powershell.exe	109
PID 1644 wrote to memory of 264	1644	powershell.exe	109
PID 1644 wrote to memory of 264	1644	powershell.exe	109
PID 1644 wrote to memory of 264	1644	powershell.exe	109
PID 1644 wrote to memory of 264	1644	powershell.exe	109
PID 1644 wrote to memory of 264	1644	powershell.exe	109
PID 1644 wrote to memory of 264	1644	powershell.exe	109
PID 1644 wrote to memory of 264	1644	powershell.exe	109
PID 1644 wrote to memory of 3600	1644	powershell.exe	110
PID 1644 wrote to memory of 3600	1644	powershell.exe	110
PID 2280 wrote to memory of 1044	2280	powershell.exe	111
PID 2280 wrote to memory of 1044	2280	powershell.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\009.vbe"
1⤵
- Blocklisted process makes network request
PID:3352

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1644" "2736" "2676" "2740" "0" "0" "2744" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:3600
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2280" "2684" "2616" "2688" "0" "0" "2692" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1044

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SearchExit.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD67C3.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_04ru004z.jvl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
391B

MD5
58a0366916955fc7ae96df07e3cda461

SHA1
5bc4e39a56465f51ba435d34671eed765cc84d6f

SHA256
82160f607277c2433155d40d8fafdb49d9f330feb39b9ad955284b690fb948be

SHA512
fa1184ddb64be0355daa2452e86c21787626d2b6eb1970f73a095c434374f2ccf45a73e93b0b62fade7eeafbf964722f9fbcf03677adaf57fd545f0075e5fc72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2274a1c4abdc1e6eef583d01b64c0bd2

SHA1
ffcbeb16157baf8b9c1564348f8db65334758923

SHA256
a673fbb5b461ee029d90bb37d953a20e9204dfd9a6e59e9cde92561cfbad6015

SHA512
7d71bd199d4c764eac44644bdac5fd939b92172f415e0df8c8d967727de5eb6a3cd5bda7f2ec978324adf34145eb5f75139e76cd18a1fce2c02523d5424191c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
1d2b8d9ec8de7b4cdb9e8472bd0bb6c0

SHA1
e7eb039073a5044b919c5ee60bf40e9c2d0fa80a

SHA256
36e76b8068ea01da3f30731f00d4fe1c08b7d1ff5a016f1ebfb1804a37d54a49

SHA512
d3fdbb74b947e729a33274837102bcbd2532aaffcb5a9687233af2f06bdb0f82deba68a9f6cbf22eaec90cfbdf38e4a72fb01d98c92f6be316fcabf796d3a17e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
d86f7c1ca30480941db150dab80094f9

SHA1
d92858cc06c37ce7ba6fdc899e064e38b27f6383

SHA256
10c87c4825ba5bdb043da9c2b6dd5568837d3e9dbf5a296a86c600eb6ce0f477

SHA512
d84b6f3e900771cca53ae5de015087ec66211ae1f7cb2c47e463c605f6e97592a322916bc5d54a4ffb0004b9615d144ed0add2e74176fe9a703a3131fef7db08

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
cc47c21d188bc9cb6b0757db4dfca921

SHA1
110a6104ec0d74e44db7287fbfdc7c540cfd3093

SHA256
ad65a8c62d1839e6543df0c5511c8f19044583c996a35f4cdbd6c88528c00c1f

SHA512
43dba07c375425efadedb0ed15f8f53c9e99a9e6edb44ce533d145774e1297f9f96b0814c0c771eeee189d54dad084488cf3b7e2124d71389bf6fbcfe3388391

Download Submit
C:\Users\Admin\AppData\Roaming\bEvujIIdkyIbOgF.vbs

Filesize
2KB

MD5
ddf1e2f5de2ce71ccf56af38dedb27d0

SHA1
0033a0eb6babb97203cb8bb7f68287cfac9d96dc

SHA256
0a988536fc481bd16af5469d5faa1bbb9dc321601dfa858479c01844a3cdd1c8

SHA512
f4e451051d3bf74faf142973ef1f2a8c008d654f6d7178dbc426dceee2f16fb88c90980e3e12e77b3499d9f7a0bc4f36faafad35fb52bb9c8f8ba03ae2585941

Download Submit
memory/264-250-0x0000000005440000-0x00000000059E4000-memory.dmp

Filesize
5.6MB

Download
memory/264-212-0x0000000000800000-0x0000000000840000-memory.dmp

Filesize
256KB

Download
memory/264-254-0x0000000006400000-0x000000000640A000-memory.dmp

Filesize
40KB

Download
memory/264-253-0x0000000006480000-0x0000000006512000-memory.dmp

Filesize
584KB

Download
memory/264-252-0x0000000006390000-0x00000000063E0000-memory.dmp

Filesize
320KB

Download
memory/264-251-0x0000000004E10000-0x0000000004E76000-memory.dmp

Filesize
408KB

Download
memory/1144-20-0x00007FFFBF090000-0x00007FFFBF0A0000-memory.dmp

Filesize
64KB

Download
memory/1144-16-0x00007FFFBF090000-0x00007FFFBF0A0000-memory.dmp

Filesize
64KB

Download
memory/1144-19-0x00007FFFBF090000-0x00007FFFBF0A0000-memory.dmp

Filesize
64KB

Download
memory/1144-17-0x00007FFFBF090000-0x00007FFFBF0A0000-memory.dmp

Filesize
64KB

Download
memory/1144-21-0x00007FFFBC9D0000-0x00007FFFBC9E0000-memory.dmp

Filesize
64KB

Download
memory/1144-22-0x00007FFFBC9D0000-0x00007FFFBC9E0000-memory.dmp

Filesize
64KB

Download
memory/1144-18-0x00007FFFBF090000-0x00007FFFBF0A0000-memory.dmp

Filesize
64KB

Download
memory/1644-15-0x0000018F7B0E0000-0x0000018F7B156000-memory.dmp

Filesize
472KB

Download
memory/1644-95-0x0000018F7A1F0000-0x0000018F7A1F8000-memory.dmp

Filesize
32KB

Download
memory/1644-96-0x0000018F7AFE0000-0x0000018F7AFEC000-memory.dmp

Filesize
48KB

Download
memory/1644-14-0x0000018F7B010000-0x0000018F7B054000-memory.dmp

Filesize
272KB

Download
memory/1644-4-0x0000018F7A1A0000-0x0000018F7A1C2000-memory.dmp

Filesize
136KB

Download