agenttesla | 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
Size

1.1MB
MD5

3b1a4595328f7a92df02b7a116bc4f40
SHA1

cbd3e5a4e18bca01678b6d844ada7764cbd4a209
SHA256

76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf
SHA512

590c07160fd86816573c5c80148c20392a0e2faa3fa4725f34ffe87b9c65b258e1a39cf744a3f3e4f7f920fb471b24f75acf35abeec56d5a1cbb35b0be7da28f
SSDEEP

24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8aG3n5Bb3dKcuSD:sTvC/MTQYxsWR7ae5/Kcv

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.jaszredony.hu
Port:
587
Username:
[email protected]
Password:
jRedony77
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe
Executes dropped EXE 1 IoCs

Processes:

name.exe

pid process

2924 name.exe
Loads dropped DLL 1 IoCs

Processes:

76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe

pid process

3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

pid	process
2924	name.exe

pid	process
3056	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe"	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\directory\name.exe	autoit_exe
behavioral1/memory/2924-29-0x0000000000090000-0x00000000001B6000-memory.dmp	autoit_exe
behavioral1/memory/2924-36-0x0000000000090000-0x00000000001B6000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

name.exe

description pid process target process

PID 2924 set thread context of 2556 2924 name.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2556 RegSvcs.exe
2556 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

name.exe

pid process

2924 name.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2556 RegSvcs.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exename.exe

pid process

3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
2924 name.exe
2924 name.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exename.exe

pid process

3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
3056 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
2924 name.exe
2924 name.exe

description	pid	process	target process
PID 2924 set thread context of 2556	2924	name.exe	RegSvcs.exe

pid	process
2556	RegSvcs.exe
2556	RegSvcs.exe

pid	process
2924	name.exe

description	pid	process
Token: SeDebugPrivilege	2556	RegSvcs.exe

pid	process
3056	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
3056	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
2924	name.exe
2924	name.exe

pid	process
3056	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
3056	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
2924	name.exe
2924	name.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exename.exe

description	pid	process	target process
PID 3056 wrote to memory of 2924	3056	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe	name.exe
PID 3056 wrote to memory of 2924	3056	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe	name.exe
PID 3056 wrote to memory of 2924	3056	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe	name.exe
PID 3056 wrote to memory of 2924	3056	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe	name.exe
PID 2924 wrote to memory of 2556	2924	name.exe	RegSvcs.exe
PID 2924 wrote to memory of 2556	2924	name.exe	RegSvcs.exe
PID 2924 wrote to memory of 2556	2924	name.exe	RegSvcs.exe
PID 2924 wrote to memory of 2556	2924	name.exe	RegSvcs.exe
PID 2924 wrote to memory of 2556	2924	name.exe	RegSvcs.exe
PID 2924 wrote to memory of 2556	2924	name.exe	RegSvcs.exe
PID 2924 wrote to memory of 2556	2924	name.exe	RegSvcs.exe
PID 2924 wrote to memory of 2556	2924	name.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
"C:\Users\Admin\AppData\Local\Temp\76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jailless
Filesize
28KB

MD5
2aaa7b7930cddc427cf97397fae04c51

SHA1
3f6d95a1329a2ea064c9427b6139323c3f8eece5

SHA256
72aa831e1cb8286c8fba0408aba377dd57717735e326529f950a96a8d36afaca

SHA512
b2540c50e492cde805b6277bf216a8840ce6061adc2d37641b5a95279edda3a2f4e23da3dfc5b0964f6b99e0f9bb9bd055bc96a2957ddce87f3051d74c1ac449

Download Submit
C:\Users\Admin\AppData\Local\Temp\reindulging
Filesize
239KB

MD5
64365f14bf8c2965cfc7a2cc25eb9c22

SHA1
f15f3895247ea0cd2373d36c7494885c3b9cb91e

SHA256
e63c7d4475ad0d2319c0e49e7e6d16489ec9106d163b0005807e3fdbc013168d

SHA512
4d2250c3f85cdaaa1028ad790f2b3e5e1af568185c58d5b548575e9353f8b929b99bb83b3fe1032b3082efd5276d4c108028b851a63a8e6aade49617ddd74d7f

Download Submit
\Users\Admin\AppData\Local\directory\name.exe
Filesize
1.1MB

MD5
3b1a4595328f7a92df02b7a116bc4f40

SHA1
cbd3e5a4e18bca01678b6d844ada7764cbd4a209

SHA256
76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf

SHA512
590c07160fd86816573c5c80148c20392a0e2faa3fa4725f34ffe87b9c65b258e1a39cf744a3f3e4f7f920fb471b24f75acf35abeec56d5a1cbb35b0be7da28f

Download Submit
memory/2556-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-35-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-37-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2556-38-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2556-40-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2556-41-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-29-0x0000000000090000-0x00000000001B6000-memory.dmp

Filesize
1.1MB

Download
memory/2924-36-0x0000000000090000-0x00000000001B6000-memory.dmp

Filesize
1.1MB

Download
memory/3056-10-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download