agenttesla | 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
Size

1.1MB
MD5

9c39e700a95a5444c8d9e013547d615d
SHA1

a728c89f5afe447c63aa5ec80e8e70c98b105553
SHA256

1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d
SHA512

cc0aa255bc9284cd5f4038ce89c14736b7122a056d7b1911bfea4152535ae962b58d9e09f24a1b61057c7f70eed808da7b7f7423a083f8887a7023ffa88449f8
SSDEEP

24576:TqDEvCTbMWu7rQYlBQcBiT6rprG8a03u+YPUnOl:TTvC/MTQYxsWR7aco1

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.jaszredony.hu
Port:
587
Username:
[email protected]
Password:
jRedony77
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe
Executes dropped EXE 1 IoCs

Processes:

name.exe

pid process

2964 name.exe
Loads dropped DLL 6 IoCs

Processes:

1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exeWerFault.exe

pid process

2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
2648 WerFault.exe
2648 WerFault.exe
2648 WerFault.exe
2648 WerFault.exe
2648 WerFault.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

pid	process
2964	name.exe

pid	process
2152	1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe"	RegSvcs.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

\Users\Admin\AppData\Local\directory\name.exe autoit_exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

name.exe

description pid process target process

PID 2964 set thread context of 2132 2964 name.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2648 2964 WerFault.exe name.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2132 RegSvcs.exe
2132 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

name.exe

pid process

2964 name.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2132 RegSvcs.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exename.exe

pid process

2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
2964 name.exe
2964 name.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exename.exe

pid process

2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
2152 1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
2964 name.exe
2964 name.exe

flow	ioc
4	ip-api.com

resource	yara_rule
\Users\Admin\AppData\Local\directory\name.exe	autoit_exe

description	pid	process	target process
PID 2964 set thread context of 2132	2964	name.exe	RegSvcs.exe

pid	pid_target	process	target process
2648	2964	WerFault.exe	name.exe

pid	process
2132	RegSvcs.exe
2132	RegSvcs.exe

pid	process
2964	name.exe

description	pid	process
Token: SeDebugPrivilege	2132	RegSvcs.exe

pid	process
2152	1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
2152	1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
2964	name.exe
2964	name.exe

pid	process
2152	1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
2152	1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
2964	name.exe
2964	name.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exename.exe

description	pid	process	target process
PID 2152 wrote to memory of 2964	2152	1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe	name.exe
PID 2152 wrote to memory of 2964	2152	1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe	name.exe
PID 2152 wrote to memory of 2964	2152	1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe	name.exe
PID 2152 wrote to memory of 2964	2152	1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe	name.exe
PID 2964 wrote to memory of 2132	2964	name.exe	RegSvcs.exe
PID 2964 wrote to memory of 2132	2964	name.exe	RegSvcs.exe
PID 2964 wrote to memory of 2132	2964	name.exe	RegSvcs.exe
PID 2964 wrote to memory of 2132	2964	name.exe	RegSvcs.exe
PID 2964 wrote to memory of 2132	2964	name.exe	RegSvcs.exe
PID 2964 wrote to memory of 2132	2964	name.exe	RegSvcs.exe
PID 2964 wrote to memory of 2132	2964	name.exe	RegSvcs.exe
PID 2964 wrote to memory of 2132	2964	name.exe	RegSvcs.exe
PID 2964 wrote to memory of 2648	2964	name.exe	WerFault.exe
PID 2964 wrote to memory of 2648	2964	name.exe	WerFault.exe
PID 2964 wrote to memory of 2648	2964	name.exe	WerFault.exe
PID 2964 wrote to memory of 2648	2964	name.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe
"C:\Users\Admin\AppData\Local\Temp\1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 320
3⤵
- Loads dropped DLL
- Program crash
PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mazatl
Filesize
28KB

MD5
2cd06ce7bc2fd2b696e7569aa3790c92

SHA1
01fe1f337f50995cb1953c0920a1daa1f1a8a8ec

SHA256
51b8f9fb8cd4751037819dca977f48553b7b2b7cb336239ce17acbac6ef3e20c

SHA512
9574481907da09bf4b99744e7c44eb8a2313afebac2251ff73e6164b3c9bee56599a632dcdf1c85c035f3aa6b0381459fc2abab10ef3a2b888a0dbc475e1a949

Download Submit
C:\Users\Admin\AppData\Local\Temp\eupolyzoan
Filesize
239KB

MD5
0c2d88d4ae629e8b403d133c5e7297a5

SHA1
3fb24bf9423b7582944b8e0568c0a2d977739d6a

SHA256
32eafdcac101a0b34f3cd037498c59329d3a00940aacf3194c5473e05ea93324

SHA512
0dfd6d1b27ef48e47470886e6dede0c220127d642acf8d0f258c767151a63d2db5c46ddbd2551e93364fdcb6bcc2ba309f17c1165ee3d79ae76ff9a6774f9327

Download Submit
\Users\Admin\AppData\Local\directory\name.exe
Filesize
1.1MB

MD5
9c39e700a95a5444c8d9e013547d615d

SHA1
a728c89f5afe447c63aa5ec80e8e70c98b105553

SHA256
1adc34ccf3cc5851de0c7968bb182815a4ba913364d47f72436b526b7ec0618d

SHA512
cc0aa255bc9284cd5f4038ce89c14736b7122a056d7b1911bfea4152535ae962b58d9e09f24a1b61057c7f70eed808da7b7f7423a083f8887a7023ffa88449f8

Download Submit
memory/2132-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2132-39-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

Filesize
4KB

Download
memory/2132-41-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/2132-43-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

Filesize
4KB

Download
memory/2132-44-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/2152-10-0x00000000000B0000-0x00000000000B4000-memory.dmp

Filesize
16KB

Download