agenttesla | 18419205b776ad7de03bfb3abf64d5ac97e50e79e87b7591bcff3e667042d0b9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2025, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dekont.pdf.exe
Size

1.6MB
MD5

89ca21034328458a20418d85211e2a32
SHA1

7eff6c36a2104231dab0c665b4cfe23479df6c92
SHA256

b5ca8fbe69f6cc1ce98e1a5b51daadb7749786efae91a320e2148cd0da30f42f
SHA512

afde5b1e081c10fc00cbec24e4b94ee3b616f637b50f1d1480fef9ac97bec1ed3356a971d3c8f32f479b3cef2912b6aa5b85be1d6c92e20b7542ccd7ebb71aa3
SSDEEP

49152:+pCG8Aq/oZ4FDMopTWfqEUU2Zklsi9LPTF:+phnqMopafSulswLB

Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5422204482:AAEu-I3AZCMcCehYPkAHAbI6qEwhd1OKxpk/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Dekont.pdf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
4216	DL NETIVE BOTNET LOGS.exe
2176	wwdktp.exe
3692	RegSvcs.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegSvcs.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\2_97\\wwdktp.exe C:\\Users\\Admin\\AppData\\Roaming\\2_97\\pfxrudu.csx"	wwdktp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 3692	2176	wwdktp.exe	91
PID 4216 set thread context of 220	4216	DL NETIVE BOTNET LOGS.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwdktp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dekont.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DL NETIVE BOTNET LOGS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000_Classes\Local Settings	Dekont.pdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3692	RegSvcs.exe
3692	RegSvcs.exe
3692	RegSvcs.exe
3692	RegSvcs.exe
3692	RegSvcs.exe
3692	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3692	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4216	DL NETIVE BOTNET LOGS.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 4216	5084	Dekont.pdf.exe	87
PID 5084 wrote to memory of 4216	5084	Dekont.pdf.exe	87
PID 5084 wrote to memory of 4216	5084	Dekont.pdf.exe	87
PID 5084 wrote to memory of 4924	5084	Dekont.pdf.exe	89
PID 5084 wrote to memory of 4924	5084	Dekont.pdf.exe	89
PID 5084 wrote to memory of 4924	5084	Dekont.pdf.exe	89
PID 4924 wrote to memory of 2176	4924	WScript.exe	90
PID 4924 wrote to memory of 2176	4924	WScript.exe	90
PID 4924 wrote to memory of 2176	4924	WScript.exe	90
PID 2176 wrote to memory of 3692	2176	wwdktp.exe	91
PID 2176 wrote to memory of 3692	2176	wwdktp.exe	91
PID 2176 wrote to memory of 3692	2176	wwdktp.exe	91
PID 2176 wrote to memory of 3692	2176	wwdktp.exe	91
PID 2176 wrote to memory of 3692	2176	wwdktp.exe	91
PID 4216 wrote to memory of 220	4216	DL NETIVE BOTNET LOGS.exe	97
PID 4216 wrote to memory of 220	4216	DL NETIVE BOTNET LOGS.exe	97
PID 4216 wrote to memory of 220	4216	DL NETIVE BOTNET LOGS.exe	97
PID 4216 wrote to memory of 220	4216	DL NETIVE BOTNET LOGS.exe	97
PID 4216 wrote to memory of 220	4216	DL NETIVE BOTNET LOGS.exe	97

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Roaming\2_97\DL NETIVE BOTNET LOGS.exe
  "C:\Users\Admin\AppData\Roaming\2_97\DL NETIVE BOTNET LOGS.exe" Saint-Ã‰tienne-du-Mont is a church located on the Montagne Sainte-GeneviÃ¨ve
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - outlook_office_path
    - outlook_win_path
    PID:220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\2_97\honhlhenc.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Roaming\2_97\wwdktp.exe
    "C:\Users\Admin\AppData\Roaming\2_97\wwdktp.exe" pfxrudu.csx
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\2_97\DL NETIVE BOTNET LOGS.exe

Filesize
440KB

MD5
61f35c53811bb66d62effc5a53de458f

SHA1
e4507c6a3d5c3d01f19c487366044febb126ca70

SHA256
833be5c7dccf68c26164d893636d27cc0ee9f870c472ca52aa90e33477c66eb1

SHA512
5148a115d3665bb951d537231c8262af5bbffbbaa7a7f2110623a95cf935cd8a6b13e77f62a712f44b871ca3b4182f13d0fcd3ed26e8cd00657c31d043044384

Download Submit
C:\Users\Admin\AppData\Roaming\2_97\bsbrhqxpgh.xml

Filesize
61KB

MD5
b57c37a2c59a2551ae13d6fd371b52cd

SHA1
f9826276ba9babe31e0b7da7d536eb48cac92fef

SHA256
c04c01d87496f375c10e6dd2bb56078a4ead5c8e859db9e3556e70831c368b48

SHA512
e97d6c33edc7cda4b59e8837f24b7117211730e305c0069b1a92904e2cd9a6f5125815f7bea3242deef67a1a6e2d519166e4301431746a960c8d83d104ec50bc

Download Submit
C:\Users\Admin\AppData\Roaming\2_97\deengndh.pbi

Filesize
419KB

MD5
0fe976b7e971a0f2d37ab91f110bf80b

SHA1
19bd18338a8254bfefbc684e618908ada7558810

SHA256
4214c2a50fb58accdab07c73ca3f60bc3da9167f3d350f04be274410f8cde27f

SHA512
710bfa5079b6109612e869ac2f72708ddd15467a9b190ef0554888fffc9c41c0fc7d7099584d49d1c7e1f298409d4da7a797a14f635d9891ed62f7ff0f49b001

Download Submit
C:\Users\Admin\AppData\Roaming\2_97\honhlhenc.vbe

Filesize
22KB

MD5
af6eceb44fc6c4edcb616cf5f3057496

SHA1
befd9bf9fee1b9dfcf5431b490f40523e0e41748

SHA256
d14064ae7096b0db9041e75b5b59badf6535f461f08a64d77c3429e0b8242725

SHA512
2b5dd6f2a7d41ef71f58a0bd027875087ddb5a2651fc2e961f1666caf722d0501619661cef0f9e5405b69f301a921ec14ecfba9d9b30f4159ff6c89807c4211f

Download Submit
C:\Users\Admin\AppData\Roaming\2_97\wwdktp.exe

Filesize
999KB

MD5
1dbba7abb9198c4247cbfb258fe5233d

SHA1
cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be

SHA256
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88

SHA512
503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98

Download Submit
memory/220-194-0x0000000005210000-0x00000000052CC000-memory.dmp

Filesize
752KB

Download
memory/220-193-0x0000000000D00000-0x0000000000D66000-memory.dmp

Filesize
408KB

Download
memory/3692-183-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/3692-184-0x0000000005290000-0x000000000532C000-memory.dmp

Filesize
624KB

Download
memory/3692-185-0x00000000051C0000-0x00000000051D8000-memory.dmp

Filesize
96KB

Download
memory/3692-186-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/3692-187-0x0000000006340000-0x0000000006390000-memory.dmp

Filesize
320KB

Download
memory/3692-191-0x00000000067E0000-0x0000000006872000-memory.dmp

Filesize
584KB

Download
memory/3692-192-0x00000000067C0000-0x00000000067CA000-memory.dmp

Filesize
40KB

Download
memory/3692-182-0x0000000000500000-0x000000000053A000-memory.dmp

Filesize
232KB

Download
memory/3692-179-0x0000000000500000-0x0000000000BCC000-memory.dmp

Filesize
6.8MB

Download