agenttesla | f2d10e5bbaa0e8c55dce360d2917f34eca5ffedc0c0b5b226e321bff7a581c2d

Analysis

max time kernel
19s
max time network
59s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

E-Notification(Swift_Copy_000948736MTCB3827).exe
Size

1.1MB
MD5

41d58997e17d288cdf4733313e23e81c
SHA1

285f17ba04fdbcca6f18f8b61e8c794aa4ccabae
SHA256

63c0e81868b4d1d5744152cb95cbe7bdaaa4bc2670037276de94d80e5b0539c5
SHA512

7e46c84f4a09862472efec7d030fced7e2f6be2a6b4d9f2363837f44db7bb67285e1b5951c8c8053d9aa73edf952c254ca5e1479ea46d6010290624972d84c5a
SSDEEP

24576:3u6J33O0c+JY5UZ+XC0kGso6FaUiuxpZPFa2bG6WY:Ru0c++OCvkGs9FaUiufu2OY

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs	juvenile.exe

Executes dropped EXE 1 IoCs

pid	Process
2176	juvenile.exe

Loads dropped DLL 1 IoCs

pid	Process
2608	E-Notification(Swift_Copy_000948736MTCB3827).exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000016c1a-12.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2176 set thread context of 2148	2176	juvenile.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E-Notification(Swift_Copy_000948736MTCB3827).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	juvenile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2148	RegSvcs.exe
2148	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2176	juvenile.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2608	E-Notification(Swift_Copy_000948736MTCB3827).exe
2608	E-Notification(Swift_Copy_000948736MTCB3827).exe
2176	juvenile.exe
2176	juvenile.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2608	E-Notification(Swift_Copy_000948736MTCB3827).exe
2608	E-Notification(Swift_Copy_000948736MTCB3827).exe
2176	juvenile.exe
2176	juvenile.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2148	RegSvcs.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 2176	2608	E-Notification(Swift_Copy_000948736MTCB3827).exe	29
PID 2608 wrote to memory of 2176	2608	E-Notification(Swift_Copy_000948736MTCB3827).exe	29
PID 2608 wrote to memory of 2176	2608	E-Notification(Swift_Copy_000948736MTCB3827).exe	29
PID 2608 wrote to memory of 2176	2608	E-Notification(Swift_Copy_000948736MTCB3827).exe	29
PID 2176 wrote to memory of 2148	2176	juvenile.exe	30
PID 2176 wrote to memory of 2148	2176	juvenile.exe	30
PID 2176 wrote to memory of 2148	2176	juvenile.exe	30
PID 2176 wrote to memory of 2148	2176	juvenile.exe	30
PID 2176 wrote to memory of 2148	2176	juvenile.exe	30
PID 2176 wrote to memory of 2148	2176	juvenile.exe	30
PID 2176 wrote to memory of 2148	2176	juvenile.exe	30
PID 2176 wrote to memory of 2148	2176	juvenile.exe	30

C:\Users\Admin\AppData\Local\Temp\E-Notification(Swift_Copy_000948736MTCB3827).exe
"C:\Users\Admin\AppData\Local\Temp\E-Notification(Swift_Copy_000948736MTCB3827).exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\antiprimer\juvenile.exe
  "C:\Users\Admin\AppData\Local\Temp\E-Notification(Swift_Copy_000948736MTCB3827).exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\E-Notification(Swift_Copy_000948736MTCB3827).exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\enterogenous

Filesize
264KB

MD5
9e0e7171e8c2d1c9f8f8a9efe8497350

SHA1
8d11766067a01bcf9e276614ad8fa21a1bcdabfe

SHA256
ddaa0204187fdd8e94df3308753b3271578cf621bad6c1b6e0e3cb99e7c3762b

SHA512
fe8ef7051790896841e8c62a011a7f8d09a10311b9876ea678915a189015cc8a48b45a2d6d955ab673e11f73441a20e8a69a91aa133a0b0a5293795de236aa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\enterogenous

Filesize
264KB

MD5
5ad9bc3334ba23ab536b67f3a8971ed7

SHA1
915701590e041e4c2e60ad4cb6af3ac4dc9d0ef1

SHA256
31f6898f0846391c72bd86d4983791af197ac2c191c9aa0f72e71f43981bed74

SHA512
f94c6d14e4cdd3add7f8c13f1798db558092894fe09121e0072bba6d07bc472e88a23bc4dbf8636939c21e735eee1d55eb640f2ed502f9e52d5e60d87f56f4b0

Download Submit
C:\Users\Admin\AppData\Local\antiprimer\juvenile.exe

Filesize
1.1MB

MD5
41d58997e17d288cdf4733313e23e81c

SHA1
285f17ba04fdbcca6f18f8b61e8c794aa4ccabae

SHA256
63c0e81868b4d1d5744152cb95cbe7bdaaa4bc2670037276de94d80e5b0539c5

SHA512
7e46c84f4a09862472efec7d030fced7e2f6be2a6b4d9f2363837f44db7bb67285e1b5951c8c8053d9aa73edf952c254ca5e1479ea46d6010290624972d84c5a

Download Submit
memory/2148-74-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-90-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-24-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2148-26-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2148-27-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2148-28-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2148-29-0x00000000006D0000-0x0000000000726000-memory.dmp

Filesize
344KB

Download
memory/2148-30-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-31-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-32-0x00000000009C0000-0x0000000000A14000-memory.dmp

Filesize
336KB

Download
memory/2148-34-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-40-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-78-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-77-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-92-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-68-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-88-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-86-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-84-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-82-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-80-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-1103-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-1102-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-70-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-38-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-62-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-60-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-59-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-56-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-54-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-52-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-50-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-49-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-46-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-44-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-43-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-72-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-64-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-66-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-36-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-33-0x00000000009C0000-0x0000000000A0E000-memory.dmp

Filesize
312KB

Download
memory/2148-1099-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-1100-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2148-1101-0x000000007429E000-0x000000007429F000-memory.dmp

Filesize
4KB

Download
memory/2176-22-0x0000000000CD0000-0x00000000010D0000-memory.dmp

Filesize
4.0MB

Download
memory/2608-7-0x00000000008D0000-0x0000000000CD0000-memory.dmp

Filesize
4.0MB

Download