agenttesla | 01b82e741a88ef644df41689744f4a883d25f4ea3ad172b0a7c61b9d7eddd712

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LUNA RAIDER.exe
Size

8.2MB
MD5

0437fa16eec1dedfd1ddf69afcccbf0f
SHA1

1649d8123ebbbc26857b0383efbbc8c329f23161
SHA256

01b82e741a88ef644df41689744f4a883d25f4ea3ad172b0a7c61b9d7eddd712
SHA512

5e995a9b3ec1cee80700f4c7f264b09f826a67bdfc65c67bb848815f5289656580e3f62853e0397da0a425ba28fabe385674320d53c36363abab2b2497de5eb2
SSDEEP

196608:b2qInJf+oTjOGNW+8u8tMmo/UIaIZQHFUQsGZgqBPtgsV:b2qIn4GN8osIVZQu6gAFgk

Score

10^/10

agenttesla agilenet keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
AgentTesla payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/1440-3-0x0000000005700000-0x00000000058F6000-memory.dmp family_agenttesla
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral1/memory/1440-6-0x0000000005A70000-0x0000000005BFE000-memory.dmp agile_net
behavioral1/memory/1440-7-0x00000000060E0000-0x000000000622E000-memory.dmp agile_net
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2616 1440 WerFault.exe LUNA RAIDER.exe

resource	yara_rule
behavioral1/memory/1440-3-0x0000000005700000-0x00000000058F6000-memory.dmp	family_agenttesla

resource	yara_rule
behavioral1/memory/1440-6-0x0000000005A70000-0x0000000005BFE000-memory.dmp	agile_net
behavioral1/memory/1440-7-0x00000000060E0000-0x000000000622E000-memory.dmp	agile_net

pid	pid_target	process	target process
2616	1440	WerFault.exe	LUNA RAIDER.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

LUNA RAIDER.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	LUNA RAIDER.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	LUNA RAIDER.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	LUNA RAIDER.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

LUNA RAIDER.exe

description	pid	process	target process
PID 1440 wrote to memory of 2616	1440	LUNA RAIDER.exe	WerFault.exe
PID 1440 wrote to memory of 2616	1440	LUNA RAIDER.exe	WerFault.exe
PID 1440 wrote to memory of 2616	1440	LUNA RAIDER.exe	WerFault.exe
PID 1440 wrote to memory of 2616	1440	LUNA RAIDER.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe
"C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 824
2⤵
- Program crash
PID:2616

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-0-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/1440-1-0x0000000000BB0000-0x00000000013F6000-memory.dmp

Filesize
8.3MB

Download
memory/1440-2-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download
memory/1440-3-0x0000000005700000-0x00000000058F6000-memory.dmp

Filesize
2.0MB

Download
memory/1440-4-0x0000000005220000-0x000000000536E000-memory.dmp

Filesize
1.3MB

Download
memory/1440-5-0x00000000005A0000-0x00000000005B4000-memory.dmp

Filesize
80KB

Download
memory/1440-6-0x0000000005A70000-0x0000000005BFE000-memory.dmp

Filesize
1.6MB

Download
memory/1440-7-0x00000000060E0000-0x000000000622E000-memory.dmp

Filesize
1.3MB

Download
memory/1440-8-0x0000000004C60000-0x0000000004C90000-memory.dmp

Filesize
192KB

Download
memory/1440-9-0x0000000008BA0000-0x0000000008CB6000-memory.dmp

Filesize
1.1MB

Download
memory/1440-10-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/1440-11-0x0000000074510000-0x0000000074BFE000-memory.dmp

Filesize
6.9MB

Download