agenttesla | a071b2fe3a0f6a0298f93fd317b156a2a849163dcd899d074454ff8c1c64f215

Analysis

max time kernel
41s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rechnung.exe
Size

1.2MB
MD5

68d578e65d29914850f73fd7b74b6eb9
SHA1

e3acde3f3f4c54a92c5ac26c5a2c821fee8c9afa
SHA256

a6626f2d5d6338a226e5a11da7aa5a67035f8783f54aa1b8b72adf8d7d1a06c2
SHA512

a774a305e72c25df6787026fa4c899190375fc07623f5fbc900dc24719f10962904b969cfea4482f19019e6ebfba0bb4b6df9db2e55fcc1caa14d57b64271a6c
SSDEEP

24576:WAHnh+eWsN3skA4RV1Hom2KXMmHa4AvYH17u/Y0i5:xh+ZkldoPK8Ya4Av6KYN

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Rechnung.exe

description pid process target process

PID 1820 set thread context of 4724 1820 Rechnung.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

4724 RegSvcs.exe
4724 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Rechnung.exe

pid process

1820 Rechnung.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 4724 RegSvcs.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Rechnung.exe

pid process

1820 Rechnung.exe
1820 Rechnung.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Rechnung.exe

pid process

1820 Rechnung.exe
1820 Rechnung.exe

flow	ioc
2	ip-api.com

description	pid	process	target process
PID 1820 set thread context of 4724	1820	Rechnung.exe	RegSvcs.exe

pid	process
4724	RegSvcs.exe
4724	RegSvcs.exe

pid	process
1820	Rechnung.exe

description	pid	process
Token: SeDebugPrivilege	4724	RegSvcs.exe

pid	process
1820	Rechnung.exe
1820	Rechnung.exe

pid	process
1820	Rechnung.exe
1820	Rechnung.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Rechnung.exe

description	pid	process	target process
PID 1820 wrote to memory of 4724	1820	Rechnung.exe	RegSvcs.exe
PID 1820 wrote to memory of 4724	1820	Rechnung.exe	RegSvcs.exe
PID 1820 wrote to memory of 4724	1820	Rechnung.exe	RegSvcs.exe
PID 1820 wrote to memory of 4724	1820	Rechnung.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Rechnung.exe
"C:\Users\Admin\AppData\Local\Temp\Rechnung.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\Rechnung.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut4C4B.tmp
Filesize
262KB

MD5
f2eeb4db3f2d0ff356b1b3dfca93a434

SHA1
cd4a59cdc21cc2fab579e79edda095d76d3f5248

SHA256
871112690d88cb554d069ed7eae0d8789a1b17c297760a68df91061910a1e0ee

SHA512
4506412ddaa365c24c52638a9957a191305e8876f0c28d5def8d994f53bcdd1e5024bcacff4969210a4b516ded017cfee6186dacfb5f1263e4c091305716fc91

Download Submit
memory/1820-12-0x0000000001EF0000-0x0000000001EF4000-memory.dmp

Filesize
16KB

Download
memory/4724-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4724-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4724-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4724-16-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4724-17-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/4724-18-0x0000000002B70000-0x0000000002BC4000-memory.dmp

Filesize
336KB

Download
memory/4724-20-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/4724-19-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-21-0x0000000002CD0000-0x0000000002D24000-memory.dmp

Filesize
336KB

Download
memory/4724-22-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-23-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-29-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-27-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-79-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-83-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-81-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-80-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-77-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-75-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-74-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-71-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-67-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-65-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-64-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-61-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-57-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-55-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-53-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-51-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-49-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-47-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-43-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-42-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-39-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-35-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-69-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-59-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-45-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-37-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-33-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-31-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-25-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-24-0x0000000002CD0000-0x0000000002D1D000-memory.dmp

Filesize
308KB

Download
memory/4724-1068-0x0000000005260000-0x00000000052C6000-memory.dmp

Filesize
408KB

Download
memory/4724-1069-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-1070-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4724-1071-0x0000000006530000-0x0000000006580000-memory.dmp

Filesize
320KB

Download
memory/4724-1072-0x0000000006680000-0x0000000006712000-memory.dmp

Filesize
584KB

Download
memory/4724-1073-0x0000000006590000-0x000000000659A000-memory.dmp

Filesize
40KB

Download
memory/4724-1074-0x000000007443E000-0x000000007443F000-memory.dmp

Filesize
4KB

Download
memory/4724-1075-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-1076-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4724-1077-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download