agenttesla | 18419205b776ad7de03bfb3abf64d5ac97e50e79e87b7591bcff3e667042d0b9

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07/02/2025, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dekont.pdf.exe
Size

1.6MB
MD5

89ca21034328458a20418d85211e2a32
SHA1

7eff6c36a2104231dab0c665b4cfe23479df6c92
SHA256

b5ca8fbe69f6cc1ce98e1a5b51daadb7749786efae91a320e2148cd0da30f42f
SHA512

afde5b1e081c10fc00cbec24e4b94ee3b616f637b50f1d1480fef9ac97bec1ed3356a971d3c8f32f479b3cef2912b6aa5b85be1d6c92e20b7542ccd7ebb71aa3
SSDEEP

49152:+pCG8Aq/oZ4FDMopTWfqEUU2Zklsi9LPTF:+phnqMopafSulswLB

Score

10^/10

agenttesla blustealer collection credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

blustealer

https://api.telegram.org/bot5310184325:AAFI3fSQ6VcGu_NSTmv7d-qK2WCVhYY_qfg/sendMessage?chat_id=1293496579

Extracted

Family

agenttesla

https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
Blustealer family
blustealer

Executes dropped EXE 3 IoCs

pid	Process
2752	DL NETIVE BOTNET LOGS.exe
2140	wwdktp.exe
1976	RegSvcs.exe

Loads dropped DLL 7 IoCs

pid	Process
2360	Dekont.pdf.exe
2360	Dekont.pdf.exe
2360	Dekont.pdf.exe
2360	Dekont.pdf.exe
2360	Dekont.pdf.exe
2980	WScript.exe
2140	wwdktp.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\2_97\\wwdktp.exe C:\\Users\\Admin\\AppData\\Roaming\\2_97\\pfxrudu.csx"	wwdktp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2752 set thread context of 2308	2752	DL NETIVE BOTNET LOGS.exe	34
PID 2140 set thread context of 1976	2140	wwdktp.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dekont.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DL NETIVE BOTNET LOGS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwdktp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1976	RegSvcs.exe
1976	RegSvcs.exe
1976	RegSvcs.exe
1976	RegSvcs.exe
1976	RegSvcs.exe
1976	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1976	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2752	DL NETIVE BOTNET LOGS.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2752	2360	Dekont.pdf.exe	31
PID 2360 wrote to memory of 2752	2360	Dekont.pdf.exe	31
PID 2360 wrote to memory of 2752	2360	Dekont.pdf.exe	31
PID 2360 wrote to memory of 2752	2360	Dekont.pdf.exe	31
PID 2360 wrote to memory of 2980	2360	Dekont.pdf.exe	32
PID 2360 wrote to memory of 2980	2360	Dekont.pdf.exe	32
PID 2360 wrote to memory of 2980	2360	Dekont.pdf.exe	32
PID 2360 wrote to memory of 2980	2360	Dekont.pdf.exe	32
PID 2980 wrote to memory of 2140	2980	WScript.exe	33
PID 2980 wrote to memory of 2140	2980	WScript.exe	33
PID 2980 wrote to memory of 2140	2980	WScript.exe	33
PID 2980 wrote to memory of 2140	2980	WScript.exe	33
PID 2980 wrote to memory of 2140	2980	WScript.exe	33
PID 2980 wrote to memory of 2140	2980	WScript.exe	33
PID 2980 wrote to memory of 2140	2980	WScript.exe	33
PID 2752 wrote to memory of 2308	2752	DL NETIVE BOTNET LOGS.exe	34
PID 2752 wrote to memory of 2308	2752	DL NETIVE BOTNET LOGS.exe	34
PID 2752 wrote to memory of 2308	2752	DL NETIVE BOTNET LOGS.exe	34
PID 2752 wrote to memory of 2308	2752	DL NETIVE BOTNET LOGS.exe	34
PID 2752 wrote to memory of 2308	2752	DL NETIVE BOTNET LOGS.exe	34
PID 2752 wrote to memory of 2308	2752	DL NETIVE BOTNET LOGS.exe	34
PID 2752 wrote to memory of 2308	2752	DL NETIVE BOTNET LOGS.exe	34
PID 2752 wrote to memory of 2308	2752	DL NETIVE BOTNET LOGS.exe	34
PID 2752 wrote to memory of 2308	2752	DL NETIVE BOTNET LOGS.exe	34
PID 2140 wrote to memory of 1976	2140	wwdktp.exe	35
PID 2140 wrote to memory of 1976	2140	wwdktp.exe	35
PID 2140 wrote to memory of 1976	2140	wwdktp.exe	35
PID 2140 wrote to memory of 1976	2140	wwdktp.exe	35
PID 2140 wrote to memory of 1976	2140	wwdktp.exe	35
PID 2140 wrote to memory of 1976	2140	wwdktp.exe	35
PID 2140 wrote to memory of 1976	2140	wwdktp.exe	35
PID 2140 wrote to memory of 1976	2140	wwdktp.exe	35
PID 2140 wrote to memory of 1976	2140	wwdktp.exe	35

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Roaming\2_97\DL NETIVE BOTNET LOGS.exe
  "C:\Users\Admin\AppData\Roaming\2_97\DL NETIVE BOTNET LOGS.exe" Saint-Ã‰tienne-du-Mont is a church located on the Montagne Sainte-GeneviÃ¨ve
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    PID:2308
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\2_97\honhlhenc.vbe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Roaming\2_97\wwdktp.exe
    "C:\Users\Admin\AppData\Roaming\2_97\wwdktp.exe" pfxrudu.csx
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2_97\bsbrhqxpgh.xml

Filesize
61KB

MD5
b57c37a2c59a2551ae13d6fd371b52cd

SHA1
f9826276ba9babe31e0b7da7d536eb48cac92fef

SHA256
c04c01d87496f375c10e6dd2bb56078a4ead5c8e859db9e3556e70831c368b48

SHA512
e97d6c33edc7cda4b59e8837f24b7117211730e305c0069b1a92904e2cd9a6f5125815f7bea3242deef67a1a6e2d519166e4301431746a960c8d83d104ec50bc

Download Submit
C:\Users\Admin\AppData\Roaming\2_97\deengndh.pbi

Filesize
419KB

MD5
0fe976b7e971a0f2d37ab91f110bf80b

SHA1
19bd18338a8254bfefbc684e618908ada7558810

SHA256
4214c2a50fb58accdab07c73ca3f60bc3da9167f3d350f04be274410f8cde27f

SHA512
710bfa5079b6109612e869ac2f72708ddd15467a9b190ef0554888fffc9c41c0fc7d7099584d49d1c7e1f298409d4da7a797a14f635d9891ed62f7ff0f49b001

Download Submit
C:\Users\Admin\AppData\Roaming\2_97\honhlhenc.vbe

Filesize
22KB

MD5
af6eceb44fc6c4edcb616cf5f3057496

SHA1
befd9bf9fee1b9dfcf5431b490f40523e0e41748

SHA256
d14064ae7096b0db9041e75b5b59badf6535f461f08a64d77c3429e0b8242725

SHA512
2b5dd6f2a7d41ef71f58a0bd027875087ddb5a2651fc2e961f1666caf722d0501619661cef0f9e5405b69f301a921ec14ecfba9d9b30f4159ff6c89807c4211f

Download Submit
\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Roaming\2_97\DL NETIVE BOTNET LOGS.exe

Filesize
440KB

MD5
61f35c53811bb66d62effc5a53de458f

SHA1
e4507c6a3d5c3d01f19c487366044febb126ca70

SHA256
833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

SHA512
5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

Download Submit
\Users\Admin\AppData\Roaming\2_97\wwdktp.exe

Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
memory/1976-195-0x0000000000250000-0x000000000091C000-memory.dmp

Filesize
6.8MB

Download
memory/1976-197-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1976-201-0x0000000000250000-0x000000000091C000-memory.dmp

Filesize
6.8MB

Download
memory/1976-198-0x0000000000250000-0x000000000091C000-memory.dmp

Filesize
6.8MB

Download
memory/1976-200-0x0000000000250000-0x000000000091C000-memory.dmp

Filesize
6.8MB

Download
memory/1976-203-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2308-183-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/2308-180-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2308-189-0x0000000000E30000-0x0000000000EEC000-memory.dmp

Filesize
752KB

Download
memory/2308-182-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/2308-181-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download
memory/2308-178-0x0000000000090000-0x00000000000F6000-memory.dmp

Filesize
408KB

Download