agenttesla | 62ee006d2f4afb965c7ce1a3bb1b2085b72da57c0a6c79ad0cae12fc41fb2a96

Analysis

max time kernel
13s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FR OPTI.exe
Size

861KB
MD5

568cd98420699a0a18c181b7d2614c57
SHA1

d8069b859a1bc0c36b9d72af06e8b5d94fec1b5f
SHA256

62ee006d2f4afb965c7ce1a3bb1b2085b72da57c0a6c79ad0cae12fc41fb2a96
SHA512

24d8872e071c65967e13c1795170c0859e368a4e64ae5ab0debcd80083cc3623977a7b22024003e79b3e13ff4286bb0f734b5f81ce7e34ea2ed455ab40aa215b
SSDEEP

24576:W4TQcPTAcySiDNpfVkqgfPyU8/oa8reuaD:b70nS4pfVkqgy6r3a

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
AgentTesla payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/1800-6-0x0000000006340000-0x0000000006552000-memory.dmp family_agenttesla

resource	yara_rule
behavioral2/memory/1800-6-0x0000000006340000-0x0000000006552000-memory.dmp	family_agenttesla

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

FR OPTI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	FR OPTI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	FR OPTI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	FR OPTI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FR OPTI.exe

description pid process

Token: SeDebugPrivilege 1800 FR OPTI.exe

description	pid	process
Token: SeDebugPrivilege	1800	FR OPTI.exe

C:\Users\Admin\AppData\Local\Temp\FR OPTI.exe
"C:\Users\Admin\AppData\Local\Temp\FR OPTI.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8
1⤵
PID:3604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\archivo.exe
Filesize
1KB

MD5
6d0876b175d610224fca8e4d990a71fc

SHA1
5d186461f2842fed89b9b356336597da9bf67fc3

SHA256
afe1163194ae3bfd3be9382c367e108d0d1d1923895dd8e3bbe7fec60bdf4a10

SHA512
c06d108fd04b9f69e21dc17c1d88b31ce53043530ae8652c1f1c7185aac524c8ed6d534b2f9cfaf7806c9d20365ab30de0613eabbd4b8b002a64b75e6f952c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivo.exe
Filesize
496B

MD5
41a4677168632435af647878f67619cd

SHA1
db834578fa70e99936855bd8b67b6ae0ffb0af04

SHA256
ef46da6f476b504e09b1521e896c7c42587d3c5f59bac010752472aadc2a1b0b

SHA512
493165ec114a4b7972931555a52693a1798099a67ab3f9f1b59a3fd03156a1b310d1847fb1341176ac51b6a4544087ab017b4750ee3dd22ab512c0077cc8434f

Download Submit
C:\Users\Admin\AppData\Local\Temp\archivo.exe
Filesize
2KB

MD5
e2c86463b636dbb23614b4badd869081

SHA1
e22be4602c26dd812485a3614d84a018e4c59441

SHA256
fadfe908a2480b97227793be630699e1046e503787f34dbb5ae00c52afb8dc8c

SHA512
3012d9644329869dbae833701e7214ad6710a236cf928b7da501e64be1bd23d36189b2d866ef812df259fb05984b1d698899869be0fbc6ab24495b8fe12eb86c

Download Submit
memory/1800-6-0x0000000006340000-0x0000000006552000-memory.dmp

Filesize
2.1MB

Download
memory/1800-4-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download
memory/1800-5-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1800-0-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/1800-7-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1800-3-0x0000000005880000-0x0000000005912000-memory.dmp

Filesize
584KB

Download
memory/1800-17-0x000000007470E000-0x000000007470F000-memory.dmp

Filesize
4KB

Download
memory/1800-2-0x0000000005D90000-0x0000000006334000-memory.dmp

Filesize
5.6MB

Download
memory/1800-27-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download
memory/1800-1-0x0000000000E80000-0x0000000000F62000-memory.dmp

Filesize
904KB

Download
memory/1800-37-0x0000000074700000-0x0000000074EB0000-memory.dmp

Filesize
7.7MB

Download