agenttesla | 8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
Size

1.0MB
MD5

05b4a13a3d126cdd799e10c41b4b5af0
SHA1

243c8b9f0200db1d70a83a62a0fb082a720c1a29
SHA256

8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1
SHA512

61934004d93eeecd27583a3b29fb63d5ab2793151d09165cd7f48a430f3607eb35ca7a3793f91a285cb2e4b149a81740dd4e2003d871a14c54fdd7f82ecaf418
SSDEEP

24576:aAHnh+eWsN3skA4RV1Hom2KXMmHa4Cdy4PosSnZmSIv5:th+ZkldoPK8Ya4CddGnZ58

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.antoniomayol.com:21
Port:
21
Username:
[email protected]
Password:
cMhKDQUk1{;%

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Drops startup file 1 IoCs

Processes:

Glagolitic.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs Glagolitic.exe
Executes dropped EXE 1 IoCs

Processes:

Glagolitic.exe

pid process

2212 Glagolitic.exe
Loads dropped DLL 1 IoCs

Processes:

8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe

pid process

1732 8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

\Users\Admin\AppData\Local\Zalucki\Glagolitic.exe autoit_exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Glagolitic.exe

description pid process target process

PID 2212 set thread context of 2672 2212 Glagolitic.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2672 RegSvcs.exe
2672 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Glagolitic.exe

pid process

2212 Glagolitic.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2672 RegSvcs.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exeGlagolitic.exe

pid process

1732 8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
1732 8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
2212 Glagolitic.exe
2212 Glagolitic.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exeGlagolitic.exe

pid process

1732 8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
1732 8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
2212 Glagolitic.exe
2212 Glagolitic.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs	Glagolitic.exe

pid	process
2212	Glagolitic.exe

pid	process
1732	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe

flow	ioc
4	ip-api.com

resource	yara_rule
\Users\Admin\AppData\Local\Zalucki\Glagolitic.exe	autoit_exe

description	pid	process	target process
PID 2212 set thread context of 2672	2212	Glagolitic.exe	RegSvcs.exe

pid	process
2672	RegSvcs.exe
2672	RegSvcs.exe

pid	process
2212	Glagolitic.exe

description	pid	process
Token: SeDebugPrivilege	2672	RegSvcs.exe

pid	process
1732	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
1732	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
2212	Glagolitic.exe
2212	Glagolitic.exe

pid	process
1732	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
1732	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
2212	Glagolitic.exe
2212	Glagolitic.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exeGlagolitic.exe

description	pid	process	target process
PID 1732 wrote to memory of 2212	1732	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe	Glagolitic.exe
PID 1732 wrote to memory of 2212	1732	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe	Glagolitic.exe
PID 1732 wrote to memory of 2212	1732	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe	Glagolitic.exe
PID 1732 wrote to memory of 2212	1732	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe	Glagolitic.exe
PID 2212 wrote to memory of 2672	2212	Glagolitic.exe	RegSvcs.exe
PID 2212 wrote to memory of 2672	2212	Glagolitic.exe	RegSvcs.exe
PID 2212 wrote to memory of 2672	2212	Glagolitic.exe	RegSvcs.exe
PID 2212 wrote to memory of 2672	2212	Glagolitic.exe	RegSvcs.exe
PID 2212 wrote to memory of 2672	2212	Glagolitic.exe	RegSvcs.exe
PID 2212 wrote to memory of 2672	2212	Glagolitic.exe	RegSvcs.exe
PID 2212 wrote to memory of 2672	2212	Glagolitic.exe	RegSvcs.exe
PID 2212 wrote to memory of 2672	2212	Glagolitic.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
"C:\Users\Admin\AppData\Local\Temp\8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Zalucki\Glagolitic.exe
"C:\Users\Admin\AppData\Local\Temp\8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mazatl
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\conged
Filesize
28KB

MD5
8febc4a332ae780f214a1eff93b1f9eb

SHA1
c2a9c8f79787c171228f7de0d10582269bc34b1c

SHA256
32e33fe4c476421422f82b1a39670bc2c4fabe87c2f926d6be1589ad0fcf44e3

SHA512
1c0646dd82da9c428f5be635c73e37416c20e97fb86ad6313470fe3d7ca3f4e83db7036f7d8d962399d9cb7c148e1c2ea58361994ee05cf2915b55c0fe105af0

Download Submit
\Users\Admin\AppData\Local\Zalucki\Glagolitic.exe
Filesize
1.0MB

MD5
05b4a13a3d126cdd799e10c41b4b5af0

SHA1
243c8b9f0200db1d70a83a62a0fb082a720c1a29

SHA256
8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1

SHA512
61934004d93eeecd27583a3b29fb63d5ab2793151d09165cd7f48a430f3607eb35ca7a3793f91a285cb2e4b149a81740dd4e2003d871a14c54fdd7f82ecaf418

Download Submit
memory/1732-10-0x0000000000810000-0x0000000000814000-memory.dmp

Filesize
16KB

Download
memory/2672-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2672-35-0x0000000073B9E000-0x0000000073B9F000-memory.dmp

Filesize
4KB

Download
memory/2672-36-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-37-0x0000000073B9E000-0x0000000073B9F000-memory.dmp

Filesize
4KB

Download
memory/2672-38-0x0000000073B90000-0x000000007427E000-memory.dmp

Filesize
6.9MB

Download