agenttesla | 6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FAKTURA DHL.exe
Size

3.7MB
MD5

7c5ba84841c124268a70f0a668d851cb
SHA1

b427e9c43f0a1a361f7bf38d5ea829e09a986f54
SHA256

6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe
SHA512

523a026f20a80a120e107fbe32bcf8f8434910f9d20ae12c0cf4469b5a61fe120553f952c1724451ec40d3d043a874b57612278d9ed5834f9e85b4aaf928e64a
SSDEEP

98304:2XxBLBJqj8ysrESFeA4xEa375aqJeZhd9ijkMCIhNVT+lLb:2X7LjgFs5FUEfX3gqANG

Score

10^/10

agenttesla quasar sim discovery keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.keeptraveling-eg.com
Port:
587
Username:
[email protected]
Password:
Do76#Zbbdonia

Extracted

Family

quasar

Version

1.4.1

Botnet

SIM

yuba.ydns.eu:6921

Mutex

c1407Qq42e-4199-420b-b7e3-f2181EdZ44b38970

Attributes

encryption_key
9AE9A56EA56429B2803AB077CB5D2AE3FDEA1BD6
install_name
Edge.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Edge
subdirectory
SubDir

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.keeptraveling-eg.com
Port:
587
Username:
[email protected]
Password:
Do76#Zbbdonia
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/2052-11-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	Edge.exe

Executes dropped EXE 4 IoCs

pid	Process
1180	Edge.exe
2756	Edge.exe
3608	Edge.exe
1232	Edge.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	api.ipify.org
45	api.ipify.org
46	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1012 set thread context of 2052	1012	FAKTURA DHL.exe	92
PID 1180 set thread context of 2756	1180	Edge.exe	98
PID 3608 set thread context of 1232	3608	Edge.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FAKTURA DHL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FAKTURA DHL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edge.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2328	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2328	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4652	schtasks.exe
2224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1012	FAKTURA DHL.exe
1012	FAKTURA DHL.exe
1012	FAKTURA DHL.exe
1012	FAKTURA DHL.exe
1232	Edge.exe
1232	Edge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	FAKTURA DHL.exe
Token: SeDebugPrivilege	2052	FAKTURA DHL.exe
Token: SeDebugPrivilege	2756	Edge.exe
Token: SeDebugPrivilege	1232	Edge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2756	Edge.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 668	1012	FAKTURA DHL.exe	90
PID 1012 wrote to memory of 668	1012	FAKTURA DHL.exe	90
PID 1012 wrote to memory of 668	1012	FAKTURA DHL.exe	90
PID 1012 wrote to memory of 2236	1012	FAKTURA DHL.exe	91
PID 1012 wrote to memory of 2236	1012	FAKTURA DHL.exe	91
PID 1012 wrote to memory of 2236	1012	FAKTURA DHL.exe	91
PID 1012 wrote to memory of 2052	1012	FAKTURA DHL.exe	92
PID 1012 wrote to memory of 2052	1012	FAKTURA DHL.exe	92
PID 1012 wrote to memory of 2052	1012	FAKTURA DHL.exe	92
PID 1012 wrote to memory of 2052	1012	FAKTURA DHL.exe	92
PID 1012 wrote to memory of 2052	1012	FAKTURA DHL.exe	92
PID 1012 wrote to memory of 2052	1012	FAKTURA DHL.exe	92
PID 1012 wrote to memory of 2052	1012	FAKTURA DHL.exe	92
PID 1012 wrote to memory of 2052	1012	FAKTURA DHL.exe	92
PID 2052 wrote to memory of 4652	2052	FAKTURA DHL.exe	93
PID 2052 wrote to memory of 4652	2052	FAKTURA DHL.exe	93
PID 2052 wrote to memory of 4652	2052	FAKTURA DHL.exe	93
PID 2052 wrote to memory of 1180	2052	FAKTURA DHL.exe	95
PID 2052 wrote to memory of 1180	2052	FAKTURA DHL.exe	95
PID 2052 wrote to memory of 1180	2052	FAKTURA DHL.exe	95
PID 1180 wrote to memory of 2756	1180	Edge.exe	98
PID 1180 wrote to memory of 2756	1180	Edge.exe	98
PID 1180 wrote to memory of 2756	1180	Edge.exe	98
PID 1180 wrote to memory of 2756	1180	Edge.exe	98
PID 1180 wrote to memory of 2756	1180	Edge.exe	98
PID 1180 wrote to memory of 2756	1180	Edge.exe	98
PID 1180 wrote to memory of 2756	1180	Edge.exe	98
PID 1180 wrote to memory of 2756	1180	Edge.exe	98
PID 2756 wrote to memory of 2224	2756	Edge.exe	99
PID 2756 wrote to memory of 2224	2756	Edge.exe	99
PID 2756 wrote to memory of 2224	2756	Edge.exe	99
PID 2756 wrote to memory of 1916	2756	Edge.exe	102
PID 2756 wrote to memory of 1916	2756	Edge.exe	102
PID 2756 wrote to memory of 1916	2756	Edge.exe	102
PID 2756 wrote to memory of 4340	2756	Edge.exe	103
PID 2756 wrote to memory of 4340	2756	Edge.exe	103
PID 2756 wrote to memory of 4340	2756	Edge.exe	103
PID 1916 wrote to memory of 1924	1916	cmd.exe	106
PID 1916 wrote to memory of 1924	1916	cmd.exe	106
PID 1916 wrote to memory of 1924	1916	cmd.exe	106
PID 1916 wrote to memory of 2328	1916	cmd.exe	107
PID 1916 wrote to memory of 2328	1916	cmd.exe	107
PID 1916 wrote to memory of 2328	1916	cmd.exe	107
PID 1916 wrote to memory of 3608	1916	cmd.exe	108
PID 1916 wrote to memory of 3608	1916	cmd.exe	108
PID 1916 wrote to memory of 3608	1916	cmd.exe	108
PID 3608 wrote to memory of 1232	3608	Edge.exe	109
PID 3608 wrote to memory of 1232	3608	Edge.exe	109
PID 3608 wrote to memory of 1232	3608	Edge.exe	109
PID 3608 wrote to memory of 1232	3608	Edge.exe	109
PID 3608 wrote to memory of 1232	3608	Edge.exe	109
PID 3608 wrote to memory of 1232	3608	Edge.exe	109
PID 3608 wrote to memory of 1232	3608	Edge.exe	109
PID 3608 wrote to memory of 1232	3608	Edge.exe	109

C:\Users\Admin\AppData\Local\Temp\FAKTURA DHL.exe
"C:\Users\Admin\AppData\Local\Temp\FAKTURA DHL.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Users\Admin\AppData\Local\Temp\FAKTURA DHL.exe
  "C:\Users\Admin\AppData\Local\Temp\FAKTURA DHL.exe"
  2⤵
  PID:668
- C:\Users\Admin\AppData\Local\Temp\FAKTURA DHL.exe
  "C:\Users\Admin\AppData\Local\Temp\FAKTURA DHL.exe"
  2⤵
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\FAKTURA DHL.exe
  "C:\Users\Admin\AppData\Local\Temp\FAKTURA DHL.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Microsoft Edge" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Edge.exe" /rl HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4652
- - C:\Users\Admin\AppData\Roaming\SubDir\Edge.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Edge.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Users\Admin\AppData\Roaming\SubDir\Edge.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Edge.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Microsoft Edge" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Edge.exe" /rl HIGHEST /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\THxSH3vG11yD.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2328
      - C:\Users\Admin\AppData\Roaming\SubDir\Edge.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Edge.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Users\Admin\AppData\Roaming\SubDir\Edge.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Edge.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /delete /tn "Microsoft Edge" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FAKTURA DHL.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\THxSH3vG11yD.bat

Filesize
379B

MD5
0c6e849b0bc35708058357a510fd03cf

SHA1
72435aff4bc95df712aadf5785d7cf19e374acbd

SHA256
5c2cf61187e499eca62a5f3f53501a6e25e7fcfdfe67c69ccd7c847e3c1fa8a7

SHA512
d15554faf4252af33d28c33b9afec68ff0210da389665809a21570febdd0c964f438feb8cf05edce4453e2a0bc676563f3ee2047f920805e6d8810b9ba16c93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcaGFeGTE4A0.exe

Filesize
828KB

MD5
68e5cf1023f948fc2f80d109befc7014

SHA1
3c39d0428d64ae8b5f9f6f5a162bf510066b4ab8

SHA256
79c74568d2bf336938b6fd31213c3bf7dce6eedef6421dfb3de6249b7a4d4ac3

SHA512
4f51117176fd895d181c8e72ca69a8c5a6778888c47aeb5f7e6a99f8ad97f8a5d994222c03794e576e9256234f3888eb59be6b31a4dd5572fa27ba90f4ee6907

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Edge.exe

Filesize
3.7MB

MD5
7c5ba84841c124268a70f0a668d851cb

SHA1
b427e9c43f0a1a361f7bf38d5ea829e09a986f54

SHA256
6af042955207ac4aa13b739d44ab6292af8892ac013444326d15ead0fefdfabe

SHA512
523a026f20a80a120e107fbe32bcf8f8434910f9d20ae12c0cf4469b5a61fe120553f952c1724451ec40d3d043a874b57612278d9ed5834f9e85b4aaf928e64a

Download Submit
memory/1012-8-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1012-14-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1012-6-0x00000000056E0000-0x00000000056FE000-memory.dmp

Filesize
120KB

Download
memory/1012-7-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/1012-0-0x000000007495E000-0x000000007495F000-memory.dmp

Filesize
4KB

Download
memory/1012-9-0x000000000B010000-0x000000000B378000-memory.dmp

Filesize
3.4MB

Download
memory/1012-10-0x00000000063A0000-0x000000000643C000-memory.dmp

Filesize
624KB

Download
memory/1012-2-0x0000000005720000-0x0000000005CC4000-memory.dmp

Filesize
5.6MB

Download
memory/1012-5-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/1012-3-0x0000000005060000-0x00000000050F2000-memory.dmp

Filesize
584KB

Download
memory/1012-1-0x00000000002C0000-0x0000000000680000-memory.dmp

Filesize
3.8MB

Download
memory/1012-4-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1180-29-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1180-23-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1180-24-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1180-25-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/1232-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2052-13-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/2052-22-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/2052-15-0x0000000074950000-0x0000000075100000-memory.dmp

Filesize
7.7MB

Download
memory/2052-11-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2756-30-0x0000000006F60000-0x0000000007578000-memory.dmp

Filesize
6.1MB

Download
memory/2756-31-0x0000000006AF0000-0x0000000006B40000-memory.dmp

Filesize
320KB

Download
memory/2756-32-0x0000000006D60000-0x0000000006E12000-memory.dmp

Filesize
712KB

Download
memory/2756-33-0x0000000006D30000-0x0000000006D42000-memory.dmp

Filesize
72KB

Download
memory/2756-34-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

Filesize
240KB

Download
memory/2756-35-0x0000000008070000-0x00000000080D6000-memory.dmp

Filesize
408KB

Download
memory/3608-45-0x0000000000E00000-0x0000000000ED6000-memory.dmp

Filesize
856KB

Download
memory/3608-46-0x00000000030B0000-0x0000000003136000-memory.dmp

Filesize
536KB

Download