agenttesla | 36484e70d703243720d4d8170e8bd708c59a879256ff70413b2ab1f7267efd6a

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Arrival Notice.exe
Size

632KB
MD5

d5551d02842d0bca89645f6d2dcd9425
SHA1

60e703ba9b877189f2a5349cae2512de050bc76c
SHA256

558122a88015bea8cc58d92d22e752167ccf7d837d8d85a3070497471660de3a
SHA512

a30a933775af324a4f6662288fa52ac8336d96cbbf44ca2ff9a40411ec2a4b6e2817b8372337bf1a1c18e476c3304a6e9bb8c8bcb4e7f44664de4af17d5670ae
SSDEEP

12288:knJ+gIaWmooQ9gfWer8oDRGLndvQfaTGXc8YrN7n0x:GU9F9gfl8zBw/YrN7

Score

10^/10

agenttesla kinsing keylogger loader spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.wasstech.com
Port:
587
Username:
[email protected]
Password:
Sunray2700@@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Kinsing
Kinsing is a loader written in Golang.
loader kinsing
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 ip-api.com
23 api.ipify.org
24 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Arrival Notice.exe

description pid process target process

PID 1600 set thread context of 2224 1600 Arrival Notice.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2188 2224 WerFault.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Arrival Notice.exeRegSvcs.exe

pid process

1600 Arrival Notice.exe
1600 Arrival Notice.exe
2224 RegSvcs.exe
2224 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Arrival Notice.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1600 Arrival Notice.exe
Token: SeDebugPrivilege 2224 RegSvcs.exe

flow	ioc
25	ip-api.com
23	api.ipify.org
24	api.ipify.org

description	pid	process	target process
PID 1600 set thread context of 2224	1600	Arrival Notice.exe	RegSvcs.exe

pid	pid_target	process	target process
2188	2224	WerFault.exe	RegSvcs.exe

pid	process
1600	Arrival Notice.exe
1600	Arrival Notice.exe
2224	RegSvcs.exe
2224	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1600	Arrival Notice.exe
Token: SeDebugPrivilege	2224	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Arrival Notice.exe

description	pid	process	target process
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	RegSvcs.exe
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	RegSvcs.exe
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	RegSvcs.exe
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	RegSvcs.exe
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	RegSvcs.exe
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	RegSvcs.exe
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	RegSvcs.exe
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 2044
3⤵
- Program crash
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2224 -ip 2224
1⤵
PID:2244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1600-8-0x0000000005660000-0x000000000566C000-memory.dmp

Filesize
48KB

Download
memory/1600-4-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/1600-0-0x0000000000650000-0x00000000006F4000-memory.dmp

Filesize
656KB

Download
memory/1600-3-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/1600-9-0x0000000006390000-0x000000000640C000-memory.dmp

Filesize
496KB

Download
memory/1600-5-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/1600-6-0x0000000005510000-0x0000000005524000-memory.dmp

Filesize
80KB

Download
memory/1600-10-0x0000000006630000-0x00000000066CC000-memory.dmp

Filesize
624KB

Download
memory/1600-2-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/1600-1-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/1600-7-0x0000000005650000-0x0000000005658000-memory.dmp

Filesize
32KB

Download
memory/1600-13-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2224-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2224-14-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2224-16-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/2224-15-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/2224-17-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download