agenttesla | 2edde6c7e98529244fcb35dc2b2f4bf4f3b99cbf886e337b4d72d53df6453ce1

Analysis

max time kernel
105s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Datasheet.pdf.exe
Size

1.2MB
MD5

c18297b5b53a4847e696422d83d408d7
SHA1

a1e8794a74797b2df257957107d7c36a73e1c52e
SHA256

4a1b06e809dd5c48be6fe00d20a2117197159a21cc8cb5840fe64cd8b31661bd
SHA512

46fba0e6efd1d654ded72a2086341e284f3880f258cf7fff079d744aafd15ca857538949fddc0e493c85f3e5d4eee8580fd7d8a4176316cb9eb47a0342392458
SSDEEP

24576:Ju6J33O0c+JY5UZ+XC0kGso6Fax4H444tjQ8nYz3Jsnzvd2WY:ru0c++OCvkGs9Fax4H444tjQ8nuJsbY

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\penstocks.vbs	penstocks.exe

Executes dropped EXE 2 IoCs

pid	Process
640	penstocks.exe
5856	penstocks.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	api.ipify.org
25	api.ipify.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002423d-9.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5856 set thread context of 4912	5856	penstocks.exe	94

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Datasheet.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	penstocks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	penstocks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4912	RegSvcs.exe
4912	RegSvcs.exe
4912	RegSvcs.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
640	penstocks.exe
5856	penstocks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	RegSvcs.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
6060	Datasheet.pdf.exe
6060	Datasheet.pdf.exe
640	penstocks.exe
640	penstocks.exe
5856	penstocks.exe
5856	penstocks.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
6060	Datasheet.pdf.exe
6060	Datasheet.pdf.exe
640	penstocks.exe
640	penstocks.exe
5856	penstocks.exe
5856	penstocks.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4912	RegSvcs.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 6060 wrote to memory of 640	6060	Datasheet.pdf.exe	89
PID 6060 wrote to memory of 640	6060	Datasheet.pdf.exe	89
PID 6060 wrote to memory of 640	6060	Datasheet.pdf.exe	89
PID 640 wrote to memory of 4856	640	penstocks.exe	90
PID 640 wrote to memory of 4856	640	penstocks.exe	90
PID 640 wrote to memory of 4856	640	penstocks.exe	90
PID 640 wrote to memory of 5856	640	penstocks.exe	91
PID 640 wrote to memory of 5856	640	penstocks.exe	91
PID 640 wrote to memory of 5856	640	penstocks.exe	91
PID 5856 wrote to memory of 4912	5856	penstocks.exe	94
PID 5856 wrote to memory of 4912	5856	penstocks.exe	94
PID 5856 wrote to memory of 4912	5856	penstocks.exe	94
PID 5856 wrote to memory of 4912	5856	penstocks.exe	94

C:\Users\Admin\AppData\Local\Temp\Datasheet.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Datasheet.pdf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6060
- C:\Users\Admin\AppData\Local\extrorsal\penstocks.exe
  "C:\Users\Admin\AppData\Local\Temp\Datasheet.pdf.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\Datasheet.pdf.exe"
    3⤵
    PID:4856
- - C:\Users\Admin\AppData\Local\extrorsal\penstocks.exe
    "C:\Users\Admin\AppData\Local\extrorsal\penstocks.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5856
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\extrorsal\penstocks.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut6765.tmp

Filesize
259KB

MD5
4d4592a2eeaae315663719c9f96ad10f

SHA1
d05e93aefe807fcc3db47126168cd8eaccf276cf

SHA256
3a2eec19a9d77b2f88681234ba6871c023b1608e381e58300ee7e4bde2c11052

SHA512
dfd2b73fb957a719ecf14836230d7202a449791cc3e31f274e671571ceb3c49b0030e6e814701a8a4a873a8831513f91ed6ead1d7bbdb7ec5f3fcfb3adcd65ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\unjust

Filesize
262KB

MD5
5bbac1cd6bfc2e96e5eb8fbf4bc85963

SHA1
757a8db75bcbf83d26dc4a6cd2809fecb2e4eda8

SHA256
b56baae24268d8a94da07828da2a0e8226f7dc87274171f6ab69056ff9941dac

SHA512
743ced6f307cb391191b9aa08dc9d60c69544cbbb0ef26f6d9db84f16d6c137693ccf2df3d9fde90fc13f2fddedd25875bd0188ed48d7843de997f763d107557

Download Submit
C:\Users\Admin\AppData\Local\extrorsal\penstocks.exe

Filesize
1.2MB

MD5
c18297b5b53a4847e696422d83d408d7

SHA1
a1e8794a74797b2df257957107d7c36a73e1c52e

SHA256
4a1b06e809dd5c48be6fe00d20a2117197159a21cc8cb5840fe64cd8b31661bd

SHA512
46fba0e6efd1d654ded72a2086341e284f3880f258cf7fff079d744aafd15ca857538949fddc0e493c85f3e5d4eee8580fd7d8a4176316cb9eb47a0342392458

Download Submit
memory/640-18-0x00000000015C0000-0x00000000019C0000-memory.dmp

Filesize
4.0MB

Download
memory/4912-95-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-41-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-32-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4912-31-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4912-33-0x0000000004F50000-0x0000000004FA4000-memory.dmp

Filesize
336KB

Download
memory/4912-34-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/4912-35-0x0000000004FF0000-0x0000000005042000-memory.dmp

Filesize
328KB

Download
memory/4912-45-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-51-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-49-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-47-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-87-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-75-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-83-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-43-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-85-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-39-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-37-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-36-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-29-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4912-93-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-91-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-30-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4912-89-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-61-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-1068-0x0000000005220000-0x0000000005286000-memory.dmp

Filesize
408KB

Download
memory/4912-81-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-79-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-77-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-73-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-71-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-69-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-67-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-65-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-63-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-59-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-57-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-55-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-53-0x0000000004FF0000-0x000000000503D000-memory.dmp

Filesize
308KB

Download
memory/4912-1069-0x0000000006540000-0x0000000006590000-memory.dmp

Filesize
320KB

Download
memory/4912-1070-0x0000000006630000-0x00000000066C2000-memory.dmp

Filesize
584KB

Download
memory/4912-1071-0x00000000067C0000-0x00000000067CA000-memory.dmp

Filesize
40KB

Download
memory/4912-1072-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5856-28-0x0000000001120000-0x0000000001520000-memory.dmp

Filesize
4.0MB

Download
memory/6060-6-0x0000000001040000-0x0000000001440000-memory.dmp

Filesize
4.0MB

Download