agenttesla | 8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1

Analysis

max time kernel
132s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
Size

1.0MB
MD5

05b4a13a3d126cdd799e10c41b4b5af0
SHA1

243c8b9f0200db1d70a83a62a0fb082a720c1a29
SHA256

8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1
SHA512

61934004d93eeecd27583a3b29fb63d5ab2793151d09165cd7f48a430f3607eb35ca7a3793f91a285cb2e4b149a81740dd4e2003d871a14c54fdd7f82ecaf418
SSDEEP

24576:aAHnh+eWsN3skA4RV1Hom2KXMmHa4Cdy4PosSnZmSIv5:th+ZkldoPK8Ya4CddGnZ58

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.antoniomayol.com:21
Port:
21
Username:
[email protected]
Password:
cMhKDQUk1{;%

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Drops startup file 1 IoCs

Processes:

Glagolitic.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs Glagolitic.exe
Executes dropped EXE 1 IoCs

Processes:

Glagolitic.exe

pid process

660 Glagolitic.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ip-api.com
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Zalucki\Glagolitic.exe autoit_exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Glagolitic.exe

description pid process target process

PID 660 set thread context of 4600 660 Glagolitic.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

4600 RegSvcs.exe
4600 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Glagolitic.exe

pid process

660 Glagolitic.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 4600 RegSvcs.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exeGlagolitic.exe

pid process

4988 8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
4988 8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
660 Glagolitic.exe
660 Glagolitic.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exeGlagolitic.exe

pid process

4988 8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
4988 8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
660 Glagolitic.exe
660 Glagolitic.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Glagolitic.vbs	Glagolitic.exe

pid	process
660	Glagolitic.exe

flow	ioc
24	ip-api.com

resource	yara_rule
C:\Users\Admin\AppData\Local\Zalucki\Glagolitic.exe	autoit_exe

description	pid	process	target process
PID 660 set thread context of 4600	660	Glagolitic.exe	RegSvcs.exe

pid	process
4600	RegSvcs.exe
4600	RegSvcs.exe

pid	process
660	Glagolitic.exe

description	pid	process
Token: SeDebugPrivilege	4600	RegSvcs.exe

pid	process
4988	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
4988	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
660	Glagolitic.exe
660	Glagolitic.exe

pid	process
4988	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
4988	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
660	Glagolitic.exe
660	Glagolitic.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exeGlagolitic.exe

description	pid	process	target process
PID 4988 wrote to memory of 660	4988	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe	Glagolitic.exe
PID 4988 wrote to memory of 660	4988	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe	Glagolitic.exe
PID 4988 wrote to memory of 660	4988	8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe	Glagolitic.exe
PID 660 wrote to memory of 4600	660	Glagolitic.exe	RegSvcs.exe
PID 660 wrote to memory of 4600	660	Glagolitic.exe	RegSvcs.exe
PID 660 wrote to memory of 4600	660	Glagolitic.exe	RegSvcs.exe
PID 660 wrote to memory of 4600	660	Glagolitic.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe
"C:\Users\Admin\AppData\Local\Temp\8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Zalucki\Glagolitic.exe
"C:\Users\Admin\AppData\Local\Temp\8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mazatl
Filesize
239KB

MD5
1f24d41d08e3651d0a93e675b54805e0

SHA1
ba8a31554902e5c16dff5dea504a4be46b67092b

SHA256
d215a4291f4b196ddde3dc8959a0b1075f751495477884173f86a9c0de22a1d8

SHA512
f01a38b067f41ffc10928e39d1ec62d8822acb8f8ceeff889a3b4923fa6eae0c17acc95607e30292e7dfd27ccb291cb84685b07ce4702b5e60e160cc3195ea2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\conged
Filesize
28KB

MD5
8febc4a332ae780f214a1eff93b1f9eb

SHA1
c2a9c8f79787c171228f7de0d10582269bc34b1c

SHA256
32e33fe4c476421422f82b1a39670bc2c4fabe87c2f926d6be1589ad0fcf44e3

SHA512
1c0646dd82da9c428f5be635c73e37416c20e97fb86ad6313470fe3d7ca3f4e83db7036f7d8d962399d9cb7c148e1c2ea58361994ee05cf2915b55c0fe105af0

Download Submit
C:\Users\Admin\AppData\Local\Zalucki\Glagolitic.exe
Filesize
1.0MB

MD5
05b4a13a3d126cdd799e10c41b4b5af0

SHA1
243c8b9f0200db1d70a83a62a0fb082a720c1a29

SHA256
8d15bcc5eca4dbafc31d1ea92c4d34b86e5d30e6b4cb0da378570bdccd7242c1

SHA512
61934004d93eeecd27583a3b29fb63d5ab2793151d09165cd7f48a430f3607eb35ca7a3793f91a285cb2e4b149a81740dd4e2003d871a14c54fdd7f82ecaf418

Download Submit
memory/4600-30-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/4600-28-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4600-29-0x000000007520E000-0x000000007520F000-memory.dmp

Filesize
4KB

Download
memory/4600-31-0x0000000004FB0000-0x0000000005016000-memory.dmp

Filesize
408KB

Download
memory/4600-32-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/4600-33-0x0000000006280000-0x00000000062D0000-memory.dmp

Filesize
320KB

Download
memory/4600-34-0x0000000006370000-0x0000000006402000-memory.dmp

Filesize
584KB

Download
memory/4600-35-0x0000000006300000-0x000000000630A000-memory.dmp

Filesize
40KB

Download
memory/4600-36-0x000000007520E000-0x000000007520F000-memory.dmp

Filesize
4KB

Download
memory/4600-37-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/4988-10-0x0000000002350000-0x0000000002354000-memory.dmp

Filesize
16KB

Download