agenttesla | 6c13935ce459215baf7b863cf206747125cacca60793e81ca06ee66139eeba79

Analysis

max time kernel
53s
max time network
153s
platform
windows7_x64
resource
win7-20220414-en
submitted
10-05-2022 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

455KB
MD5

f383aca77ec8694ab609f6c6ee464bde
SHA1

836abb931164edf8ea1ec1437b94eed0fc568049
SHA256

6c13935ce459215baf7b863cf206747125cacca60793e81ca06ee66139eeba79
SHA512

7acba871babb6cba09d1e444387d4d282f65b951b16127145521cd70915995425de6efc72a5f6400c81371734e5a47eaa33ed76ce06586f45fc8df1108af4040

Score

10^/10

agenttesla asyncrat venom clients collection keylogger rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
odin.mk-host.com
Port:
587
Username:
[email protected]
Password:
Hotel2020#

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

194.5.97.88:5050

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
odin.mk-host.com
Port:
587
Username:
[email protected]
Password:
Hotel2020#
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 7 IoCs

rat

resource	yara_rule
behavioral1/memory/1576-63-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1576-64-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1576-65-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1576-66-0x000000000041099E-mapping.dmp	asyncrat
behavioral1/memory/1576-69-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1576-71-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1576-78-0x0000000001FD0000-0x0000000001FDC000-memory.dmp	asyncrat

Executes dropped EXE 3 IoCs

pid	Process
1576	InstallUtil.exe
1744	QWAS.exe
1556	RegAsm.exe

Loads dropped DLL 4 IoCs

pid	Process
1992	tmp.exe
1892	powershell.exe
1744	QWAS.exe
1556	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1992 set thread context of 1576	1992	tmp.exe	27
PID 1744 set thread context of 1556	1744	QWAS.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1992	tmp.exe
1992	tmp.exe
1892	powershell.exe
1576	InstallUtil.exe
1892	powershell.exe
1892	powershell.exe
1744	QWAS.exe
1744	QWAS.exe
1556	RegAsm.exe
1556	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	tmp.exe
Token: SeDebugPrivilege	1576	InstallUtil.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1744	QWAS.exe
Token: SeDebugPrivilege	1556	RegAsm.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1576	1992	tmp.exe	27
PID 1992 wrote to memory of 1576	1992	tmp.exe	27
PID 1992 wrote to memory of 1576	1992	tmp.exe	27
PID 1992 wrote to memory of 1576	1992	tmp.exe	27
PID 1992 wrote to memory of 1576	1992	tmp.exe	27
PID 1992 wrote to memory of 1576	1992	tmp.exe	27
PID 1992 wrote to memory of 1576	1992	tmp.exe	27
PID 1992 wrote to memory of 1576	1992	tmp.exe	27
PID 1992 wrote to memory of 1576	1992	tmp.exe	27
PID 1992 wrote to memory of 1576	1992	tmp.exe	27
PID 1992 wrote to memory of 1576	1992	tmp.exe	27
PID 1992 wrote to memory of 1576	1992	tmp.exe	27
PID 1576 wrote to memory of 1656	1576	InstallUtil.exe	29
PID 1576 wrote to memory of 1656	1576	InstallUtil.exe	29
PID 1576 wrote to memory of 1656	1576	InstallUtil.exe	29
PID 1576 wrote to memory of 1656	1576	InstallUtil.exe	29
PID 1656 wrote to memory of 1892	1656	cmd.exe	31
PID 1656 wrote to memory of 1892	1656	cmd.exe	31
PID 1656 wrote to memory of 1892	1656	cmd.exe	31
PID 1656 wrote to memory of 1892	1656	cmd.exe	31
PID 1892 wrote to memory of 1744	1892	powershell.exe	32
PID 1892 wrote to memory of 1744	1892	powershell.exe	32
PID 1892 wrote to memory of 1744	1892	powershell.exe	32
PID 1892 wrote to memory of 1744	1892	powershell.exe	32
PID 1744 wrote to memory of 1556	1744	QWAS.exe	33
PID 1744 wrote to memory of 1556	1744	QWAS.exe	33
PID 1744 wrote to memory of 1556	1744	QWAS.exe	33
PID 1744 wrote to memory of 1556	1744	QWAS.exe	33
PID 1744 wrote to memory of 1556	1744	QWAS.exe	33
PID 1744 wrote to memory of 1556	1744	QWAS.exe	33
PID 1744 wrote to memory of 1556	1744	QWAS.exe	33
PID 1744 wrote to memory of 1556	1744	QWAS.exe	33
PID 1744 wrote to memory of 1556	1744	QWAS.exe	33
PID 1744 wrote to memory of 1556	1744	QWAS.exe	33
PID 1744 wrote to memory of 1556	1744	QWAS.exe	33
PID 1744 wrote to memory of 1556	1744	QWAS.exe	33

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\QWAS.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\QWAS.exe"'
      4⤵
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\QWAS.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QWAS.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Accesses Microsoft Outlook profiles
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
b9f21d8db36e88831e5352bb82c438b3

SHA1
4a3c330954f9f65a2f5fd7e55800e46ce228a3e2

SHA256
998e0209690a48ed33b79af30fc13851e3e3416bed97e3679b6030c10cab361e

SHA512
d4a2ac7c14227fbaf8b532398fb69053f0a0d913273f6917027c8cadbba80113fdbec20c2a7eb31b7bb57c99f9fdeccf8576be5f39346d8b564fc72fb1699476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
655df22e0d6df8fbd9a8cf58c9d3fe24

SHA1
542b6adaa70e8cea54354bb327ed9ad877c21b62

SHA256
4bb35387b07667d96d7e9f5c5b5640828f517e6bcf15bbc8f9fd79817f800fd6

SHA512
fffbeff25999311300f6cd51c08400ce64fe843848c46237fbd898fea5ac87b5e86c64dcd9306cc6d462b7e57144f2a8828fa99e46d3b1c7382c593852cb9033

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWAS.exe

Filesize
682KB

MD5
0c333ed8bb368bd1f442e429d25468bf

SHA1
17caab2afdb4338cea5161abe9b4f1137585afcd

SHA256
ad0b97333d1e6ea935fdc6a610f9eeea8fe2f1fcbadcf2c721aa7d1e4149618d

SHA512
a5f2e72c3852cca0b19e89e03cf97db21d030ede8743ad102bf4c3f9bde21a8156f24847766a54163064becdceaef2f482c53f940a58c2a5dc2205ab40a3104b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWAS.exe

Filesize
682KB

MD5
0c333ed8bb368bd1f442e429d25468bf

SHA1
17caab2afdb4338cea5161abe9b4f1137585afcd

SHA256
ad0b97333d1e6ea935fdc6a610f9eeea8fe2f1fcbadcf2c721aa7d1e4149618d

SHA512
a5f2e72c3852cca0b19e89e03cf97db21d030ede8743ad102bf4c3f9bde21a8156f24847766a54163064becdceaef2f482c53f940a58c2a5dc2205ab40a3104b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\QWAS.exe

Filesize
682KB

MD5
0c333ed8bb368bd1f442e429d25468bf

SHA1
17caab2afdb4338cea5161abe9b4f1137585afcd

SHA256
ad0b97333d1e6ea935fdc6a610f9eeea8fe2f1fcbadcf2c721aa7d1e4149618d

SHA512
a5f2e72c3852cca0b19e89e03cf97db21d030ede8743ad102bf4c3f9bde21a8156f24847766a54163064becdceaef2f482c53f940a58c2a5dc2205ab40a3104b

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/1556-95-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1556-94-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1556-99-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1556-93-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1556-91-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1556-101-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1556-90-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1576-65-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1576-71-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1576-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1576-78-0x0000000001FD0000-0x0000000001FDC000-memory.dmp

Filesize
48KB

Download
memory/1576-77-0x0000000005630000-0x0000000005690000-memory.dmp

Filesize
384KB

Download
memory/1576-61-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1576-76-0x0000000005A50000-0x0000000005AE0000-memory.dmp

Filesize
576KB

Download
memory/1576-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1576-64-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1576-75-0x0000000000750000-0x000000000075A000-memory.dmp

Filesize
40KB

Download
memory/1576-74-0x0000000005190000-0x00000000051FA000-memory.dmp

Filesize
424KB

Download
memory/1576-69-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1744-86-0x0000000000AD0000-0x0000000000B80000-memory.dmp

Filesize
704KB

Download
memory/1892-87-0x000000006DD30000-0x000000006E2DB000-memory.dmp

Filesize
5.7MB

Download
memory/1992-54-0x00000000010A0000-0x0000000001116000-memory.dmp

Filesize
472KB

Download
memory/1992-58-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/1992-57-0x00000000004C0000-0x00000000004DA000-memory.dmp

Filesize
104KB

Download
memory/1992-56-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/1992-55-0x00000000009A0000-0x00000000009D0000-memory.dmp

Filesize
192KB

Download