agenttesla | 4202f7fb5710bdb128f6619b2f441cca74c2637267cb1a37b955d7563522ac1b

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

heif.dll
Size

1.3MB
MD5

53ef71e5b537ee5b4c1dac26142781e0
SHA1

5c615a3558e1ae87d1af51a205893b10d50fc0d0
SHA256

0338d145cd8031fe359cc4d5feb62060aecee9fab76f58c76f31e4f2167e11d4
SHA512

7e92cc792ec93433d4ae1220d7e3d3c6c763d220e5123a1f1ca0e6ad282c4015de9a05ed7011274b16b56bdcfb91a3966b4ef18b69ec5c084c569cc3a50fc27b
SSDEEP

24576:PpMjSJGKw1B5R8Wc7G0gfdUFg3CbypD2lMJd05FXDDnvjWQx/KhxWuuWW7UNbryB:PpsSJGKwzX8MfdUFg3CbypD2lMJd05F1

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot7220431026:AAHszs0XzPcajloTXlLJDVKab99uNUvPaok/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2068 set thread context of 2448	2068	rundll32.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2448	AddInProcess32.exe
2448	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2448	AddInProcess32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2448	2068	rundll32.exe	30
PID 2068 wrote to memory of 2448	2068	rundll32.exe	30
PID 2068 wrote to memory of 2448	2068	rundll32.exe	30
PID 2068 wrote to memory of 2448	2068	rundll32.exe	30
PID 2068 wrote to memory of 2448	2068	rundll32.exe	30
PID 2068 wrote to memory of 2448	2068	rundll32.exe	30
PID 2068 wrote to memory of 2448	2068	rundll32.exe	30
PID 2068 wrote to memory of 2448	2068	rundll32.exe	30
PID 2068 wrote to memory of 2448	2068	rundll32.exe	30
PID 2068 wrote to memory of 2876	2068	rundll32.exe	31
PID 2068 wrote to memory of 2876	2068	rundll32.exe	31
PID 2068 wrote to memory of 2876	2068	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\heif.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2448
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2068 -s 236
  2⤵
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2448-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-4-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-2-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2448-5-0x000000007457E000-0x000000007457F000-memory.dmp

Filesize
4KB

Download
memory/2448-6-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download
memory/2448-7-0x000000007457E000-0x000000007457F000-memory.dmp

Filesize
4KB

Download
memory/2448-8-0x0000000074570000-0x0000000074C5E000-memory.dmp

Filesize
6.9MB

Download