agenttesla | 6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
Size

989KB
MD5

991ca34ddd5dd8615fe906a88d80fb30
SHA1

9c870be932ba1396d3e33df1e6e455a20ddd99b2
SHA256

6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d
SHA512

433f506691da6f04928351287c8cd5bcf658f14513779c949ec66e500b8a68f340e01feb82beefcdb21a30496eaef19d3f8fd94e217cac0bbadc3f1411cc72f4
SSDEEP

12288:iDDjV0vdloI9mDZ1vDFki1WT08fcUkuoRm/SIo6I6JT/sRfpdC6M:KjWvsIMZ1hkSuoYaY/sRfXC6M

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.zoho.eu
Port:
587
Username:
[email protected]
Password:
office12#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Executes dropped EXE 1 IoCs

Processes:

xfiles.exe

pid process

2004 xfiles.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2984 cmd.exe
2984 cmd.exe

pid	process
2004	xfiles.exe

pid	process
2984	cmd.exe
2984	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\xfiless = "C:\\Users\\Admin\\AppData\\Roaming\\xfiles.exe"	reg.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2592 PING.EXE
2812 PING.EXE
2196 PING.EXE

pid	process
2592	PING.EXE
2812	PING.EXE
2196	PING.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exexfiles.exe

pid	process
2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
2004	xfiles.exe
2004	xfiles.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exexfiles.exe

description pid process

Token: SeDebugPrivilege 2228 6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
Token: SeDebugPrivilege 2004 xfiles.exe

description	pid	process
Token: SeDebugPrivilege	2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
Token: SeDebugPrivilege	2004	xfiles.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.execmd.execmd.exexfiles.exe

description	pid	process	target process
PID 2228 wrote to memory of 2888	2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 2228 wrote to memory of 2888	2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 2228 wrote to memory of 2888	2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 2228 wrote to memory of 2888	2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 2888 wrote to memory of 2196	2888	cmd.exe	PING.EXE
PID 2888 wrote to memory of 2196	2888	cmd.exe	PING.EXE
PID 2888 wrote to memory of 2196	2888	cmd.exe	PING.EXE
PID 2888 wrote to memory of 2196	2888	cmd.exe	PING.EXE
PID 2228 wrote to memory of 2984	2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 2228 wrote to memory of 2984	2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 2228 wrote to memory of 2984	2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 2228 wrote to memory of 2984	2228	6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe	cmd.exe
PID 2984 wrote to memory of 2592	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 2592	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 2592	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 2592	2984	cmd.exe	PING.EXE
PID 2888 wrote to memory of 2608	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 2608	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 2608	2888	cmd.exe	reg.exe
PID 2888 wrote to memory of 2608	2888	cmd.exe	reg.exe
PID 2984 wrote to memory of 2812	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 2812	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 2812	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 2812	2984	cmd.exe	PING.EXE
PID 2984 wrote to memory of 2004	2984	cmd.exe	xfiles.exe
PID 2984 wrote to memory of 2004	2984	cmd.exe	xfiles.exe
PID 2984 wrote to memory of 2004	2984	cmd.exe	xfiles.exe
PID 2984 wrote to memory of 2004	2984	cmd.exe	xfiles.exe
PID 2004 wrote to memory of 2652	2004	xfiles.exe	InstallUtil.exe
PID 2004 wrote to memory of 2652	2004	xfiles.exe	InstallUtil.exe
PID 2004 wrote to memory of 2652	2004	xfiles.exe	InstallUtil.exe
PID 2004 wrote to memory of 2652	2004	xfiles.exe	InstallUtil.exe
PID 2004 wrote to memory of 2652	2004	xfiles.exe	InstallUtil.exe
PID 2004 wrote to memory of 2652	2004	xfiles.exe	InstallUtil.exe
PID 2004 wrote to memory of 2652	2004	xfiles.exe	InstallUtil.exe
PID 2004 wrote to memory of 2652	2004	xfiles.exe	InstallUtil.exe
PID 2004 wrote to memory of 2652	2004	xfiles.exe	InstallUtil.exe
PID 2004 wrote to memory of 2652	2004	xfiles.exe	InstallUtil.exe
PID 2004 wrote to memory of 2652	2004	xfiles.exe	InstallUtil.exe
PID 2004 wrote to memory of 2652	2004	xfiles.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 29 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xfiless" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\xfiles.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 29
3⤵
- Runs ping.exe
PID:2196

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "xfiless" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\xfiles.exe"
3⤵
- Adds Run key to start application
PID:2608

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 33 > nul && copy "C:\Users\Admin\AppData\Local\Temp\6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d_NeikiAnalytics.exe" "C:\Users\Admin\AppData\Roaming\xfiles.exe" && ping 127.0.0.1 -n 33 > nul && "C:\Users\Admin\AppData\Roaming\xfiles.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 33
3⤵
- Runs ping.exe
PID:2592

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 33
3⤵
- Runs ping.exe
PID:2812

C:\Users\Admin\AppData\Roaming\xfiles.exe
"C:\Users\Admin\AppData\Roaming\xfiles.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:2652

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\xfiles.exe
Filesize
989KB

MD5
991ca34ddd5dd8615fe906a88d80fb30

SHA1
9c870be932ba1396d3e33df1e6e455a20ddd99b2

SHA256
6484a1beb77fa93cf21adbf91ba4c0c60985c2dab4be45370c7d8f48eedf0a7d

SHA512
433f506691da6f04928351287c8cd5bcf658f14513779c949ec66e500b8a68f340e01feb82beefcdb21a30496eaef19d3f8fd94e217cac0bbadc3f1411cc72f4

Download Submit
memory/2004-19-0x0000000000440000-0x0000000000446000-memory.dmp

Filesize
24KB

Download
memory/2004-18-0x0000000000CA0000-0x0000000000CBA000-memory.dmp

Filesize
104KB

Download
memory/2004-17-0x0000000000A10000-0x0000000000B0C000-memory.dmp

Filesize
1008KB

Download
memory/2228-4-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/2228-5-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-6-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/2228-3-0x0000000000D40000-0x0000000000D84000-memory.dmp

Filesize
272KB

Download
memory/2228-2-0x0000000074B10000-0x00000000751FE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-1-0x0000000000FB0000-0x00000000010AC000-memory.dmp

Filesize
1008KB

Download
memory/2652-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2652-22-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2652-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2652-26-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2652-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download