agenttesla | 95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b

Analysis

max time kernel
144s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
08/12/2023, 02:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe
Size

234KB
MD5

a2d1a58f5ce44cab11865085de306c50
SHA1

212505087b5c3bc7227433b04a9c89f1d2bc383d
SHA256

95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b
SHA512

e929f27110e4b3f4d1f758775b72a5d68c27038632bac6fb3abd5dab3bdafb48fc000a950977476901d4c8da72adbadbc1db5431ffb62146abbafb04e8b75b31
SSDEEP

3072:izZlx1JDgntYBAdbTgB2DRcWNdysHG5tLUQf4e:OZlx1JDgntSubTgB2mWvyC9Qg

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.sgbumperscar.com
Port:
587
Username:
ptt-dennis@sgbumperscar.com
Password:
cunduy123456789

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.sgbumperscar.com
Port:
587
Username:
ptt-dennis@sgbumperscar.com
Password:
cunduy123456789
Email To:
s4tivar@yandex.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	api.ipify.org
32	api.ipify.org

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4876	95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe
4876	95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4876	95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe

C:\Users\Admin\AppData\Local\Temp\95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe
"C:\Users\Admin\AppData\Local\Temp\95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876

Network

DNS

2.181.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.181.190.20.in-addr.arpa

IN PTR

Response
DNS

180.178.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

180.178.17.96.in-addr.arpa

IN PTR

Response

180.178.17.96.in-addr.arpa

IN PTR

a96-17-178-180deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

api.ipify.org

95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A

Response

api.ipify.org

IN CNAME

api4.ipify.org

api4.ipify.org

IN A

104.237.62.212

api4.ipify.org

IN A

173.231.16.77

api4.ipify.org

IN A

64.185.227.156
GET

https://api.ipify.org/

95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe

Remote address:

104.237.62.212:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Host: api.ipify.org
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: nginx/1.25.2
Date: Fri, 08 Dec 2023 02:35:24 GMT
Content-Type: text/plain
Content-Length: 12
Connection: keep-alive
Vary: Origin
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301057_1JHF9NK2IDFKNUSZM&pid=21.2&w=1920&h=1080&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301057_1JHF9NK2IDFKNUSZM&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 401290
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 31972311E3DB42B4A82323494403D088 Ref B: LON04EDGE1217 Ref C: 2023-12-08T02:35:24Z
date: Fri, 08 Dec 2023 02:35:24 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239317301490_1LPSK7N2TS8HCTMAM&pid=21.2&w=1080&h=1920&c=4

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239317301490_1LPSK7N2TS8HCTMAM&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 376372
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6615CEAB0018416781E9D451DBC2D491 Ref B: LON04EDGE1217 Ref C: 2023-12-08T02:35:24Z
date: Fri, 08 Dec 2023 02:35:24 GMT
DNS

212.62.237.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

212.62.237.104.in-addr.arpa

IN PTR

Response

212.62.237.104.in-addr.arpa

IN PTR

apiipifyorg
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet
DNS

183.59.114.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.59.114.20.in-addr.arpa

IN PTR

Response
DNS

mail.sgbumperscar.com

95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe

Remote address:

8.8.8.8:53

Request

mail.sgbumperscar.com

IN A

Response

mail.sgbumperscar.com

IN A

210.86.239.168
DNS

168.239.86.210.in-addr.arpa

Remote address:

8.8.8.8:53

Request

168.239.86.210.in-addr.arpa

IN PTR

Response

168.239.86.210.in-addr.arpa

IN PTR

server60 vietnetnamcom
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

183.1.37.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.1.37.23.in-addr.arpa

IN PTR

Response

183.1.37.23.in-addr.arpa

IN PTR

a23-37-1-183deploystaticakamaitechnologiescom
DNS

119.110.54.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

119.110.54.20.in-addr.arpa

IN PTR

Response
DNS

18.134.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.134.221.88.in-addr.arpa

IN PTR

Response

18.134.221.88.in-addr.arpa

IN PTR

a88-221-134-18deploystaticakamaitechnologiescom
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

Remote address:

8.8.8.8:53

Response

slscr.update.microsoft.com

IN CNAME

sls.update.microsoft.com

sls.update.microsoft.com

IN CNAME

glb.sls.prod.dcat.dsp.trafficmanager.net

glb.sls.prod.dcat.dsp.trafficmanager.net

IN A

20.114.59.183
DNS

Remote address:

8.8.8.8:53

Response

ctldl.windowsupdate.com

IN CNAME

wu-bg-shim.trafficmanager.net

wu-bg-shim.trafficmanager.net

IN CNAME

download.windowsupdate.com.edgesuite.net

download.windowsupdate.com.edgesuite.net

IN CNAME

a767.dspw65.akamai.net

a767.dspw65.akamai.net

IN A

96.17.178.173

a767.dspw65.akamai.net

IN A

96.17.178.209

104.237.62.212:443

https://api.ipify.org/

tls, http

95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe

854 B
6.9kB
9
10

HTTP Request

GET https://api.ipify.org/

HTTP Response

200
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239317301490_1LPSK7N2TS8HCTMAM&pid=21.2&w=1080&h=1920&c=4

tls, http2

28.6kB
814.6kB
601
599

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301057_1JHF9NK2IDFKNUSZM&pid=21.2&w=1920&h=1080&c=4

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239317301490_1LPSK7N2TS8HCTMAM&pid=21.2&w=1080&h=1920&c=4

HTTP Response

200

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.1kB
8.2kB
14
12
210.86.239.168:587

mail.sgbumperscar.com

smtp-submission

95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe

1.2kB
6.7kB
14
20
88.221.134.18:80
52.111.227.14:443
20.189.173.4:443
192.229.221.95:80

8.8.8.8:53

2.181.190.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.181.190.20.in-addr.arpa
8.8.8.8:53

180.178.17.96.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

180.178.17.96.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

api.ipify.org

dns

95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe

59 B
126 B
1
1

DNS Request

api.ipify.org

DNS Response

104.237.62.212

173.231.16.77

64.185.227.156
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

212.62.237.104.in-addr.arpa

dns

73 B
100 B
1
1

DNS Request

212.62.237.104.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa
8.8.8.8:53

183.59.114.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

183.59.114.20.in-addr.arpa
8.8.8.8:53

mail.sgbumperscar.com

dns

95bcdb36ea04ac618c085d218c16e994eb39080ea9e81024cd346c75fa83438b.exe

67 B
83 B
1
1

DNS Request

mail.sgbumperscar.com

DNS Response

210.86.239.168
8.8.8.8:53

168.239.86.210.in-addr.arpa

dns

73 B
110 B
1
1

DNS Request

168.239.86.210.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

183.1.37.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

183.1.37.23.in-addr.arpa
8.8.8.8:53

119.110.54.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

119.110.54.20.in-addr.arpa
8.8.8.8:53

18.134.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

18.134.221.88.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

dns

160 B
1

DNS Response

20.114.59.183
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

dns

228 B
1

DNS Response

96.17.178.173

96.17.178.209
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53
8.8.8.8:53

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4876-1-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4876-0-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/4876-2-0x0000000005BD0000-0x0000000006174000-memory.dmp

Filesize
5.6MB

Download
memory/4876-3-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4876-4-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/4876-5-0x0000000006D10000-0x0000000006D60000-memory.dmp

Filesize
320KB

Download
memory/4876-6-0x0000000006E00000-0x0000000006E9C000-memory.dmp

Filesize
624KB

Download
memory/4876-7-0x0000000006F40000-0x0000000006FD2000-memory.dmp

Filesize
584KB

Download
memory/4876-8-0x0000000006EE0000-0x0000000006EEA000-memory.dmp

Filesize
40KB

Download
memory/4876-9-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/4876-10-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.