agenttesla | caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe
Size

51KB
MD5

b590cc8881bf3f255800f14cedd0dd57
SHA1

19eb6694c13c1ad1be23d7425c2500c59090f30b
SHA256

caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b
SHA512

2a90a4ffb48a975d6c061cf618a23753f2b26082bb27e80567c09d16d1e87d104fe87ba0f18110ffe23858d758f689e62c155d8926ab824d644050d04621c233
SSDEEP

384:DQc7UaUMrg7ilYqCndq5I16MjSj67WBTk0BthfifTZ2GShq6ki2lKxiIiW1sQS+1:EEDrgsCKc0Bvfr7F2zInyQS+ST6nkC1

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
162.254.34.31
Port:
587
Username:
[email protected]
Password:
6RLYuUCIH8hN
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 684 created 3568	684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe	56

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.ipify.org
17	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 684 set thread context of 2548	684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe
684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe
684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe
2548	InstallUtil.exe
2548	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe
Token: SeDebugPrivilege	684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe
Token: SeDebugPrivilege	2548	InstallUtil.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 2548	684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe	82
PID 684 wrote to memory of 2548	684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe	82
PID 684 wrote to memory of 2548	684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe	82
PID 684 wrote to memory of 2548	684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe	82
PID 684 wrote to memory of 2548	684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe	82
PID 684 wrote to memory of 2548	684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe	82
PID 684 wrote to memory of 2548	684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe	82
PID 684 wrote to memory of 2548	684	caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe	82

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3568
- C:\Users\Admin\AppData\Local\Temp\caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe
  "C:\Users\Admin\AppData\Local\Temp\caf4b10a21b5f04dacde6d63508a7d37b7ae81d66a381e41be311c870d69a81b.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/684-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/684-1-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/684-2-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/684-3-0x00000000069E0000-0x0000000006AF2000-memory.dmp

Filesize
1.1MB

Download
memory/684-4-0x00000000070A0000-0x0000000007644000-memory.dmp

Filesize
5.6MB

Download
memory/684-5-0x0000000006BB0000-0x0000000006C42000-memory.dmp

Filesize
584KB

Download
memory/684-17-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-15-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-7-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-6-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-21-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-67-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-69-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-65-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-63-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-61-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-59-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-57-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-53-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-51-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-49-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-45-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-43-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-41-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-39-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-37-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-35-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-33-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-55-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-47-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-31-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-29-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-25-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-23-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-19-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-13-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-11-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-9-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-27-0x00000000069E0000-0x0000000006AEC000-memory.dmp

Filesize
1.0MB

Download
memory/684-1328-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/684-1329-0x0000000006CB0000-0x0000000006D1C000-memory.dmp

Filesize
432KB

Download
memory/684-1330-0x0000000006D80000-0x0000000006DEA000-memory.dmp

Filesize
424KB

Download
memory/684-1331-0x0000000006F80000-0x0000000006FCC000-memory.dmp

Filesize
304KB

Download
memory/684-1332-0x0000000006FF0000-0x0000000007044000-memory.dmp

Filesize
336KB

Download
memory/684-1339-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/684-1336-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/684-1344-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/684-1342-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/684-1341-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/684-1345-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2548-1346-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2548-1347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2548-1348-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2548-1349-0x00000000054C0000-0x0000000005526000-memory.dmp

Filesize
408KB

Download
memory/2548-1350-0x00000000068D0000-0x0000000006920000-memory.dmp

Filesize
320KB

Download
memory/2548-1351-0x0000000006940000-0x000000000694A000-memory.dmp

Filesize
40KB

Download
memory/2548-1352-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download