agenttesla | a2b803974fcfb65e21fa1a7690eb2a4822f091a8bdf45786e2085c833871d5a0

General

Target

wiru.exe
Size

987KB
MD5

a6455a248e43686bfda50622f2bd82d2
SHA1

de8544085d7969af9c9eda6cc418f26f9b144786
SHA256

a2b803974fcfb65e21fa1a7690eb2a4822f091a8bdf45786e2085c833871d5a0
SHA512

2820d87ffb9b1088dd61da458e4891d8247a3185099fe195e8fb5d2f8a135607eaf013b43718e347c30f0095bfe581a9e6d0b160ccba86d35dec168ea638aa2e
SSDEEP

12288:00QxgjNKY/6sBjn+lkNp6MARWch8k6SFkJkgskKA0kZPiDsRyNX5UrLB/ccOTOKw:00Qxgj8Y3n+lQkg6kZPiARysLBOTO+FG

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.oripam.xyz
Port:
587
Username:
[email protected]
Password:
1yH[0T=asUG?
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Suspicious use of SetThreadContext 1 IoCs

Processes:

wiru.exe

description pid process target process

PID 1728 set thread context of 4520 1728 wiru.exe CasPol.exe

description	pid	process	target process
PID 1728 set thread context of 4520	1728	wiru.exe	CasPol.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

CasPol.exemsedge.exemsedge.exe

pid process

4520 CasPol.exe
4520 CasPol.exe
1168 msedge.exe
1168 msedge.exe
2176 msedge.exe
2176 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

2176 msedge.exe
2176 msedge.exe
2176 msedge.exe
2176 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wiru.exeCasPol.exe

description pid process

Token: SeDebugPrivilege 1728 wiru.exe
Token: SeDebugPrivilege 4520 CasPol.exe

pid	process
4520	CasPol.exe
4520	CasPol.exe
1168	msedge.exe
1168	msedge.exe
2176	msedge.exe
2176	msedge.exe

description	pid	process
Token: SeDebugPrivilege	1728	wiru.exe
Token: SeDebugPrivilege	4520	CasPol.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe
2176	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wiru.exemsedge.exe

description	pid	process	target process
PID 1728 wrote to memory of 4520	1728	wiru.exe	CasPol.exe
PID 1728 wrote to memory of 4520	1728	wiru.exe	CasPol.exe
PID 1728 wrote to memory of 4520	1728	wiru.exe	CasPol.exe
PID 1728 wrote to memory of 4520	1728	wiru.exe	CasPol.exe
PID 1728 wrote to memory of 4520	1728	wiru.exe	CasPol.exe
PID 1728 wrote to memory of 4520	1728	wiru.exe	CasPol.exe
PID 1728 wrote to memory of 4520	1728	wiru.exe	CasPol.exe
PID 1728 wrote to memory of 4520	1728	wiru.exe	CasPol.exe
PID 1728 wrote to memory of 3368	1728	wiru.exe	CasPol.exe
PID 1728 wrote to memory of 3368	1728	wiru.exe	CasPol.exe
PID 1728 wrote to memory of 3368	1728	wiru.exe	CasPol.exe
PID 2176 wrote to memory of 2624	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 2624	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 5076	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 1168	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 1168	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 1960	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 1960	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 1960	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 1960	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 1960	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 1960	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 1960	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 1960	2176	msedge.exe	msedge.exe
PID 2176 wrote to memory of 1960	2176	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\wiru.exe
"C:\Users\Admin\AppData\Local\Temp\wiru.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
PID:3368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://run.exe/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa7ea3cb8,0x7fffa7ea3cc8,0x7fffa7ea3cd8
2⤵
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
2⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
2⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
2⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
2⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
2⤵
PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
3e5a2dac1f49835cf442fde4b7f74b88

SHA1
7b2cf4e2820f304adf533d43e6d75b3008941f72

SHA256
30bd1e1bafb4502c91c1fb568372c0fb046d32a4b732e6b88ce59ea23663e4ce

SHA512
933ac835894ce6cb8aac0261153823c96b6abec955173653dd56e534d644efd03aec71acb4f8cb0b9af871962296ec06cd03e570a0ac53098b8cd55657543786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6e15af8f29dec1e606c7774ef749eaf2

SHA1
15fbec608e4aa6ddd0e7fd8ea64c2e8197345e97

SHA256
de9124e3fddde204df6a6df22b8b87a51823ba227d3e304a6a6aced9da00c74c

SHA512
1c9c9acd158273749e666271a5cdb2a6aebf6e2b43b835ebcc49d5b48490cbbf4deddef08c232417cee33d4809dec9ddac2478765c1f3d7ed8ea7441f5fd1d15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
49986c7ee635f0a77b74f73839e2980f

SHA1
309138269b9a48fc467efada3bd0b87b838ba2f8

SHA256
25c921207fa9c6d39c7f7d531b877bd0ea980b9c8563b7e5a01cf6d10b66238c

SHA512
3d6cb030310a95a25400ed110f4c9a8c65954b97e53b9ded27e27b836a1805a938340dc0240f719c12a2526124744cc7100a6dc0d46865600bc2bdfdfe0502de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
845d74cf48f486632c38becd89037272

SHA1
7e6228e475ca05ad93e57b6d9b6971f4e98f29d8

SHA256
cae4930c3ca5eae161e0b7ccacd34d03b2a88e0e8ca355441d4daeb599b2f6e6

SHA512
38fa5ac68eeca68aeda3f56b527963d657567cc8d9a69482feaa33271b75643e7f47bcc3824b3a2c2006c79e76e8a68db294fb2e9f2270a7b19ff916f07f7d79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
aa7a8807579c5eece4be0669ed1cc997

SHA1
98ec59fa1ce9375b04dc0026fc157bf12d09ed61

SHA256
203b85ee92e4084522d3e53be809ffabe2a74be17c26f89dae5c71717dcb75d6

SHA512
4b894b807b9cbe851c4563e3d0da739cef619dd6ccef439be022190745ceef9cad94f1dbe6678734fee0502a51891d39e330346080da48be3239b7bd26e16323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
\??\pipe\LOCAL\crashpad_2176_HMUCINGUADUEUILE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1728-2-0x0000027D4BF90000-0x0000027D4BFA0000-memory.dmp

Filesize
64KB

Download
memory/1728-1-0x00007FFFA8370000-0x00007FFFA8E32000-memory.dmp

Filesize
10.8MB

Download
memory/1728-3-0x0000027D33450000-0x0000027D334E6000-memory.dmp

Filesize
600KB

Download
memory/1728-0-0x0000027D31800000-0x0000027D31868000-memory.dmp

Filesize
416KB

Download
memory/1728-9-0x00007FFFA8370000-0x00007FFFA8E32000-memory.dmp

Filesize
10.8MB

Download
memory/4520-5-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/4520-13-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/4520-14-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/4520-12-0x00000000062D0000-0x00000000062DA000-memory.dmp

Filesize
40KB

Download
memory/4520-11-0x0000000006350000-0x00000000063E2000-memory.dmp

Filesize
584KB

Download
memory/4520-10-0x0000000006260000-0x00000000062B0000-memory.dmp

Filesize
320KB

Download
memory/4520-8-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/4520-7-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/4520-6-0x0000000005860000-0x0000000005E06000-memory.dmp

Filesize
5.6MB

Download
memory/4520-4-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads