agenttesla | b4a16aa8a75103a7740dc1cfaf67fa5accaee9e2e69b092e217e683befed16ff

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XX(1).exe
Size

1.1MB
MD5

ceee05227b74e5a1e6d89f3b1cdfd24b
SHA1

7c7038b477f3d68226abf7eb1f8b4e9b9cfae331
SHA256

0f30bd5220de4c7fb2d426a392b5fcdbf1062b33a65761cb2af0d4732a2b2c2e
SHA512

931eed40bcb985de50c631f1b2565edf4bcdc78d56d9e2b31c608a634367c227325152dc4644d498924bcc09d5a11f3ace19193b9d1ea4aa897747f2b073a4c9
SSDEEP

24576:WAHnh+eWsN3skA4RV1Hom2KXMmHabDXVNuE25:xh+ZkldoPK8YabD3A

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

XX(1).exe

description pid process target process

PID 2500 set thread context of 2188 2500 XX(1).exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RegSvcs.exe

pid process

2188 RegSvcs.exe
2188 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

XX(1).exe

pid process

2500 XX(1).exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2188 RegSvcs.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

XX(1).exe

pid process

2500 XX(1).exe
2500 XX(1).exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

XX(1).exe

pid process

2500 XX(1).exe
2500 XX(1).exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

description	pid	process	target process
PID 2500 set thread context of 2188	2500	XX(1).exe	RegSvcs.exe

pid	process
2188	RegSvcs.exe
2188	RegSvcs.exe

pid	process
2500	XX(1).exe

description	pid	process
Token: SeDebugPrivilege	2188	RegSvcs.exe

pid	process
2500	XX(1).exe
2500	XX(1).exe

pid	process
2500	XX(1).exe
2500	XX(1).exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

XX(1).exe

description	pid	process	target process
PID 2500 wrote to memory of 2188	2500	XX(1).exe	RegSvcs.exe
PID 2500 wrote to memory of 2188	2500	XX(1).exe	RegSvcs.exe
PID 2500 wrote to memory of 2188	2500	XX(1).exe	RegSvcs.exe
PID 2500 wrote to memory of 2188	2500	XX(1).exe	RegSvcs.exe
PID 2500 wrote to memory of 2188	2500	XX(1).exe	RegSvcs.exe
PID 2500 wrote to memory of 2188	2500	XX(1).exe	RegSvcs.exe
PID 2500 wrote to memory of 2188	2500	XX(1).exe	RegSvcs.exe
PID 2500 wrote to memory of 2188	2500	XX(1).exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\XX(1).exe
"C:\Users\Admin\AppData\Local\Temp\XX(1).exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\XX(1).exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\polygamodioecious
Filesize
262KB

MD5
0627d8ea9c9a86c685642a0cada49435

SHA1
14b98255bfdb171dd4c4493dbf37a9599750aa06

SHA256
e79b150ec9f056e0debfaa6377c5b496e17a2afb00418bc417f9ad3706ff1787

SHA512
26ef50ccfaae562f0f0833bf06b5e2be09082ce78e4900d47dc9552de4f897fd02e4510550fea1b8bab819bda15debc63619ca341d1f9ca7386e3c5d1640934c

Download Submit
memory/2188-63-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-1056-0x000000007478E000-0x000000007478F000-memory.dmp

Filesize
4KB

Download
memory/2188-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2188-59-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-16-0x000000007478E000-0x000000007478F000-memory.dmp

Filesize
4KB

Download
memory/2188-17-0x0000000000AE0000-0x0000000000B34000-memory.dmp

Filesize
336KB

Download
memory/2188-18-0x0000000074780000-0x0000000074E6E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-19-0x0000000000B70000-0x0000000000BC2000-memory.dmp

Filesize
328KB

Download
memory/2188-20-0x0000000074780000-0x0000000074E6E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-21-0x0000000074780000-0x0000000074E6E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-47-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-37-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-35-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-33-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-31-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-27-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-25-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-53-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-45-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-81-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-65-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-1057-0x0000000074780000-0x0000000074E6E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2188-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2188-22-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-51-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-49-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-43-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-41-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-39-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-29-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-23-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-79-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-77-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-75-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-73-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-71-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-69-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-67-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-61-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-55-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2188-1054-0x0000000074780000-0x0000000074E6E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-1055-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2188-57-0x0000000000B70000-0x0000000000BBD000-memory.dmp

Filesize
308KB

Download
memory/2500-11-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download