agenttesla | 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
Size

1.1MB
MD5

3b1a4595328f7a92df02b7a116bc4f40
SHA1

cbd3e5a4e18bca01678b6d844ada7764cbd4a209
SHA256

76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf
SHA512

590c07160fd86816573c5c80148c20392a0e2faa3fa4725f34ffe87b9c65b258e1a39cf744a3f3e4f7f920fb471b24f75acf35abeec56d5a1cbb35b0be7da28f
SSDEEP

24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8aG3n5Bb3dKcuSD:sTvC/MTQYxsWR7ae5/Kcv

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.jaszredony.hu
Port:
587
Username:
[email protected]
Password:
jRedony77
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe
Executes dropped EXE 1 IoCs

Processes:

name.exe

pid process

412 name.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

pid	process
412	name.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe"	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\directory\name.exe autoit_exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

name.exe

description pid process target process

PID 412 set thread context of 2164 412 name.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2164 RegSvcs.exe
2164 RegSvcs.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

name.exe

pid process

412 name.exe
412 name.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2164 RegSvcs.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exename.exe

pid process

4216 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
4216 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
412 name.exe
412 name.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exename.exe

pid process

4216 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
4216 76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
412 name.exe
412 name.exe

flow	ioc
16	ip-api.com

resource	yara_rule
C:\Users\Admin\AppData\Local\directory\name.exe	autoit_exe

description	pid	process	target process
PID 412 set thread context of 2164	412	name.exe	RegSvcs.exe

pid	process
2164	RegSvcs.exe
2164	RegSvcs.exe

pid	process
412	name.exe
412	name.exe

description	pid	process
Token: SeDebugPrivilege	2164	RegSvcs.exe

pid	process
4216	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
4216	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
412	name.exe
412	name.exe

pid	process
4216	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
4216	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
412	name.exe
412	name.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exename.exe

description	pid	process	target process
PID 4216 wrote to memory of 412	4216	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe	name.exe
PID 4216 wrote to memory of 412	4216	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe	name.exe
PID 4216 wrote to memory of 412	4216	76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe	name.exe
PID 412 wrote to memory of 2164	412	name.exe	RegSvcs.exe
PID 412 wrote to memory of 2164	412	name.exe	RegSvcs.exe
PID 412 wrote to memory of 2164	412	name.exe	RegSvcs.exe
PID 412 wrote to memory of 2164	412	name.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe
"C:\Users\Admin\AppData\Local\Temp\76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4216

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jailless
Filesize
28KB

MD5
2aaa7b7930cddc427cf97397fae04c51

SHA1
3f6d95a1329a2ea064c9427b6139323c3f8eece5

SHA256
72aa831e1cb8286c8fba0408aba377dd57717735e326529f950a96a8d36afaca

SHA512
b2540c50e492cde805b6277bf216a8840ce6061adc2d37641b5a95279edda3a2f4e23da3dfc5b0964f6b99e0f9bb9bd055bc96a2957ddce87f3051d74c1ac449

Download Submit
C:\Users\Admin\AppData\Local\Temp\reindulging
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe
Filesize
1.1MB

MD5
3b1a4595328f7a92df02b7a116bc4f40

SHA1
cbd3e5a4e18bca01678b6d844ada7764cbd4a209

SHA256
76605d7a013bd7a9974299a201c92360faec54e4826e774ddca35fae33dab5bf

SHA512
590c07160fd86816573c5c80148c20392a0e2faa3fa4725f34ffe87b9c65b258e1a39cf744a3f3e4f7f920fb471b24f75acf35abeec56d5a1cbb35b0be7da28f

Download Submit
memory/2164-30-0x0000000005330000-0x00000000058D4000-memory.dmp

Filesize
5.6MB

Download
memory/2164-28-0x0000000000580000-0x00000000005C2000-memory.dmp

Filesize
264KB

Download
memory/2164-29-0x00000000751DE000-0x00000000751DF000-memory.dmp

Filesize
4KB

Download
memory/2164-31-0x0000000004D80000-0x0000000004DE6000-memory.dmp

Filesize
408KB

Download
memory/2164-32-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/2164-34-0x0000000006000000-0x0000000006050000-memory.dmp

Filesize
320KB

Download
memory/2164-35-0x00000000060F0000-0x0000000006182000-memory.dmp

Filesize
584KB

Download
memory/2164-36-0x0000000006080000-0x000000000608A000-memory.dmp

Filesize
40KB

Download
memory/2164-37-0x00000000751DE000-0x00000000751DF000-memory.dmp

Filesize
4KB

Download
memory/2164-38-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/4216-10-0x0000000000DE0000-0x0000000000DE4000-memory.dmp

Filesize
16KB

Download