agenttesla | 128de5e09d0453bdce3abe943b88c72adb065971c9db3ee6e8075bd6651c356e

Resubmissions

13-02-2024 12:04

240213-n8wg3ahc2z 10

04-12-2023 18:50

231204-xg8gzsec21 10

04-12-2023 18:47

231204-xe7gxaec2v 10

Analysis

max time kernel
119s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kviitung_04-12-2023.exe
Size

626KB
MD5

a98f880aefb9f770cf0f280b6aabfc63
SHA1

9aa8fbe199f4f7386e418076438f72a958147f0c
SHA256

f4c0c2490f385084d7673926acb7c950c30dfba656a77c85493cfc04889d002a
SHA512

f2fc8169d950b39e1387a44613418196f70fb719e2c8ee055fd5f7cb18e73803dffe548f38a1653e22af8174ddaedf193b46ae30f8f8c84dcc3d1155e8076e8e
SSDEEP

12288:FI45+po2V1kWEOIVim9yY7gRMpMCuaA9NV+wuSyW4hIcKvSwkPAg:FL+pJQnJyY7gepOaA9NV+gyW4hIpKP

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
sg3plcpnl0195.prod.sin3.secureserver.net
Port:
587
Username:
[email protected]
Password:
V#[email protected]&Qo!

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
sg3plcpnl0195.prod.sin3.secureserver.net
Port:
587
Username:
[email protected]
Password:
V#[email protected]&Qo!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

26 api.ipify.org
27 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Kviitung_04-12-2023.exe

description pid process target process

PID 2320 set thread context of 3032 2320 Kviitung_04-12-2023.exe Kviitung_04-12-2023.exe

flow	ioc
26	api.ipify.org
27	api.ipify.org

description	pid	process	target process
PID 2320 set thread context of 3032	2320	Kviitung_04-12-2023.exe	Kviitung_04-12-2023.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3364 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Kviitung_04-12-2023.exe

pid process

3032 Kviitung_04-12-2023.exe
3032 Kviitung_04-12-2023.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Kviitung_04-12-2023.exe

description pid process

Token: SeDebugPrivilege 3032 Kviitung_04-12-2023.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

EXCEL.EXE

pid process

3364 EXCEL.EXE
3364 EXCEL.EXE
3364 EXCEL.EXE
3364 EXCEL.EXE
3364 EXCEL.EXE
3364 EXCEL.EXE
3364 EXCEL.EXE
3364 EXCEL.EXE
3364 EXCEL.EXE

pid	process
3364	EXCEL.EXE

pid	process
3032	Kviitung_04-12-2023.exe
3032	Kviitung_04-12-2023.exe

description	pid	process
Token: SeDebugPrivilege	3032	Kviitung_04-12-2023.exe

pid	process
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE
3364	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Kviitung_04-12-2023.exe

description	pid	process	target process
PID 2320 wrote to memory of 3032	2320	Kviitung_04-12-2023.exe	Kviitung_04-12-2023.exe
PID 2320 wrote to memory of 3032	2320	Kviitung_04-12-2023.exe	Kviitung_04-12-2023.exe
PID 2320 wrote to memory of 3032	2320	Kviitung_04-12-2023.exe	Kviitung_04-12-2023.exe
PID 2320 wrote to memory of 3032	2320	Kviitung_04-12-2023.exe	Kviitung_04-12-2023.exe
PID 2320 wrote to memory of 3032	2320	Kviitung_04-12-2023.exe	Kviitung_04-12-2023.exe
PID 2320 wrote to memory of 3032	2320	Kviitung_04-12-2023.exe	Kviitung_04-12-2023.exe
PID 2320 wrote to memory of 3032	2320	Kviitung_04-12-2023.exe	Kviitung_04-12-2023.exe
PID 2320 wrote to memory of 3032	2320	Kviitung_04-12-2023.exe	Kviitung_04-12-2023.exe

C:\Users\Admin\AppData\Local\Temp\Kviitung_04-12-2023.exe
"C:\Users\Admin\AppData\Local\Temp\Kviitung_04-12-2023.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\Kviitung_04-12-2023.exe
"C:\Users\Admin\AppData\Local\Temp\Kviitung_04-12-2023.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3716

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\CheckpointWatch.ods"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kviitung_04-12-2023.exe.log

Filesize
2KB

MD5
93d52c1bc7c38d958583ebbd3dc09cd4

SHA1
4c5ee6f9c9ae190c9a0cccb91fa2257ddcb8b0d5

SHA256
2905f3a06dd8907ddbcbe64389cffcc8a5273d1822e25f8bea385bdd01653c76

SHA512
dfc55c3247d7734c5a531fb5a3de689e8bb823e82c14ad6cab16923d50d51e03e5e86165a7d65b3059a66b67968b611368b010a6d9f755916b01ef7b67c5228e

Download Submit
memory/2320-10-0x0000000007D00000-0x0000000007D9C000-memory.dmp

Filesize
624KB

Download
memory/2320-0-0x00000000007D0000-0x0000000000872000-memory.dmp

Filesize
648KB

Download
memory/2320-9-0x0000000007F50000-0x0000000007FCA000-memory.dmp

Filesize
488KB

Download
memory/2320-4-0x00000000053E0000-0x0000000005472000-memory.dmp

Filesize
584KB

Download
memory/2320-5-0x0000000005480000-0x000000000548A000-memory.dmp

Filesize
40KB

Download
memory/2320-6-0x0000000005500000-0x0000000005518000-memory.dmp

Filesize
96KB

Download
memory/2320-7-0x0000000005650000-0x0000000005658000-memory.dmp

Filesize
32KB

Download
memory/2320-8-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

Filesize
40KB

Download
memory/2320-3-0x0000000005A50000-0x0000000005FF4000-memory.dmp

Filesize
5.6MB

Download
memory/2320-2-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/2320-1-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/2320-17-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3032-14-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3032-15-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3032-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-16-0x0000000005040000-0x00000000050A6000-memory.dmp

Filesize
408KB

Download
memory/3032-18-0x0000000006560000-0x00000000065B0000-memory.dmp

Filesize
320KB

Download
memory/3032-19-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/3032-21-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3364-24-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3364-36-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-22-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3364-25-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-20-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3364-27-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3364-26-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-28-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-29-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3364-30-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-31-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-32-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-33-0x00007FFB153D0000-0x00007FFB153E0000-memory.dmp

Filesize
64KB

Download
memory/3364-34-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-35-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-23-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-37-0x00007FFB153D0000-0x00007FFB153E0000-memory.dmp

Filesize
64KB

Download
memory/3364-38-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-39-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-40-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-42-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-41-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-65-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3364-66-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3364-67-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3364-69-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-68-0x00007FFB17D30000-0x00007FFB17D40000-memory.dmp

Filesize
64KB

Download
memory/3364-71-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download
memory/3364-70-0x00007FFB57CB0000-0x00007FFB57EA5000-memory.dmp

Filesize
2.0MB

Download