agenttesla | 36484e70d703243720d4d8170e8bd708c59a879256ff70413b2ab1f7267efd6a

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Arrival Notice.exe
Size

632KB
MD5

d5551d02842d0bca89645f6d2dcd9425
SHA1

60e703ba9b877189f2a5349cae2512de050bc76c
SHA256

558122a88015bea8cc58d92d22e752167ccf7d837d8d85a3070497471660de3a
SHA512

a30a933775af324a4f6662288fa52ac8336d96cbbf44ca2ff9a40411ec2a4b6e2817b8372337bf1a1c18e476c3304a6e9bb8c8bcb4e7f44664de4af17d5670ae
SSDEEP

12288:knJ+gIaWmooQ9gfWer8oDRGLndvQfaTGXc8YrN7n0x:GU9F9gfl8zBw/YrN7

Score

10^/10

agenttesla kinsing keylogger loader spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.wasstech.com
Port:
587
Username:
[email protected]
Password:
Sunray2700@@
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
25	ip-api.com
23	api.ipify.org
24	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

Arrival Notice.exe

description	pid	Process	procid_target
PID 1600 set thread context of 2224	1600	Arrival Notice.exe	96

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2188	2224	WerFault.exe	96

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Arrival Notice.exeRegSvcs.exe

pid	Process
1600	Arrival Notice.exe
1600	Arrival Notice.exe
2224	RegSvcs.exe
2224	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Arrival Notice.exeRegSvcs.exe

description	pid	Process
Token: SeDebugPrivilege	1600	Arrival Notice.exe
Token: SeDebugPrivilege	2224	RegSvcs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Arrival Notice.exe

description	pid	Process	procid_target
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	96
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	96
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	96
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	96
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	96
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	96
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	96
PID 1600 wrote to memory of 2224	1600	Arrival Notice.exe	96

C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 2044
    3⤵
    - Program crash
    PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2224 -ip 2224
1⤵
PID:2244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1600-8-0x0000000005660000-0x000000000566C000-memory.dmp

Filesize
48KB

Download
memory/1600-4-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/1600-0-0x0000000000650000-0x00000000006F4000-memory.dmp

Filesize
656KB

Download
memory/1600-3-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/1600-9-0x0000000006390000-0x000000000640C000-memory.dmp

Filesize
496KB

Download
memory/1600-5-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/1600-6-0x0000000005510000-0x0000000005524000-memory.dmp

Filesize
80KB

Download
memory/1600-10-0x0000000006630000-0x00000000066CC000-memory.dmp

Filesize
624KB

Download
memory/1600-2-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/1600-1-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/1600-7-0x0000000005650000-0x0000000005658000-memory.dmp

Filesize
32KB

Download
memory/1600-13-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2224-11-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2224-14-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2224-16-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/2224-15-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/2224-17-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download