agenttesla | ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0

General

Target

ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe
Size

1.3MB
MD5

69eaab67fd89a7dca0de1a2405d0df34
SHA1

e1d55aca4c9c6edce5a1301f678f09826af3670e
SHA256

ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0
SHA512

7c132d714c08a59d12f57f6b18669577a506398a87a9a050306a271c4be81975228d3e80a08ad7ba2d5cff1dd87ea7fff90ee3216b6cbaa009733930d5943140
SSDEEP

24576:nAHnh+eWsN3skA4RV1Hom2KXMmHap7d4DajNV+zfKw6F5E1ZkDhJFa5:ah+ZkldoPK8Yapu+35qSDh8

Score

10^/10

agenttesla remcos remotehost collection keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

sub.thisisnot2abuse.xyz:2080

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-PVWWU4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7124146126:AAGAbs9iw3XzfgH3tTN58djGN81AnAy9t-E/

https://api.telegram.org/bot5641014861:AAEm_7YGp9cbvOBbk5wT5BYfwW_Yl2L8a9Q/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1888-64-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1888-78-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2240-65-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2240-74-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2240-65-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1888-64-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1740-68-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1740-69-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2240-74-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1888-78-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

COMddd.exeMINEOr.exe

pid process

2472 COMddd.exe
2500 MINEOr.exe
Loads dropped DLL 2 IoCs

Processes:

svchost.exe

pid process

1356 svchost.exe
1356 svchost.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2472	COMddd.exe
2500	MINEOr.exe

pid	process
1356	svchost.exe
1356	svchost.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exesvchost.exe

description	pid	process	target process
PID 2864 set thread context of 1356	2864	ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe	svchost.exe
PID 1356 set thread context of 2240	1356	svchost.exe	svchost.exe
PID 1356 set thread context of 1888	1356	svchost.exe	svchost.exe
PID 1356 set thread context of 1740	1356	svchost.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

COMddd.exeMINEOr.exesvchost.exe

pid process

2472 COMddd.exe
2500 MINEOr.exe
2472 COMddd.exe
2500 MINEOr.exe
2240 svchost.exe
2240 svchost.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exesvchost.exe

pid process

2864 ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe
1356 svchost.exe
1356 svchost.exe
1356 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

MINEOr.exeCOMddd.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2500 MINEOr.exe
Token: SeDebugPrivilege 2472 COMddd.exe
Token: SeDebugPrivilege 1740 svchost.exe

pid	process
2472	COMddd.exe
2500	MINEOr.exe
2472	COMddd.exe
2500	MINEOr.exe
2240	svchost.exe
2240	svchost.exe

description	pid	process
Token: SeDebugPrivilege	2500	MINEOr.exe
Token: SeDebugPrivilege	2472	COMddd.exe
Token: SeDebugPrivilege	1740	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe

pid	process
2864	ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe
2864	ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe

pid	process
2864	ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe
2864	ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exesvchost.exe

description	pid	process	target process
PID 2864 wrote to memory of 1356	2864	ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe	svchost.exe
PID 2864 wrote to memory of 1356	2864	ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe	svchost.exe
PID 2864 wrote to memory of 1356	2864	ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe	svchost.exe
PID 2864 wrote to memory of 1356	2864	ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe	svchost.exe
PID 2864 wrote to memory of 1356	2864	ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe	svchost.exe
PID 1356 wrote to memory of 2472	1356	svchost.exe	COMddd.exe
PID 1356 wrote to memory of 2472	1356	svchost.exe	COMddd.exe
PID 1356 wrote to memory of 2472	1356	svchost.exe	COMddd.exe
PID 1356 wrote to memory of 2472	1356	svchost.exe	COMddd.exe
PID 1356 wrote to memory of 2500	1356	svchost.exe	MINEOr.exe
PID 1356 wrote to memory of 2500	1356	svchost.exe	MINEOr.exe
PID 1356 wrote to memory of 2500	1356	svchost.exe	MINEOr.exe
PID 1356 wrote to memory of 2500	1356	svchost.exe	MINEOr.exe
PID 1356 wrote to memory of 2240	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 2240	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 2240	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 2240	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 2240	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 1888	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 1888	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 1888	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 1888	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 1888	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 1740	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 1740	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 1740	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 1740	1356	svchost.exe	svchost.exe
PID 1356 wrote to memory of 1740	1356	svchost.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe
"C:\Users\Admin\AppData\Local\Temp\ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\ef413eb1c49ca9cda1220c73b5f95138015c5d0e44d49589ae717def16af6ec0.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\COMddd.exe
"C:\Users\Admin\AppData\Local\Temp\COMddd.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Users\Admin\AppData\Local\Temp\MINEOr.exe
"C:\Users\Admin\AppData\Local\Temp\MINEOr.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\xsgdsrrwnzgymzjppjj"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2240

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\hmlotjcpjhydpnftzlevfm"
3⤵
- Accesses Microsoft Outlook accounts
PID:1888

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\rorguunrxpqizttxiwqxizozrp"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\COMddd.exe
Filesize
234KB

MD5
b8bf53bd1b6236e6e4e1de037830802c

SHA1
a8b9be18347a91bf7d4acaf08fb910a533084620

SHA256
50efb12a800e55214863400a9c791d3675569f605e91098cad8f6d0d158a0d41

SHA512
ac6e5cb49de3940ff1cfaf836bc217d5e3a694cc9bace130fcb3d6bf58cd94635f5ee22acba20c9d054c4e002e73f31bd0f496ab5f1854bcc323d23f2f710dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsgdsrrwnzgymzjppjj
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Temp\MINEOr.exe
Filesize
237KB

MD5
a46d418f60ad2ba7a8d579607a5b2ba6

SHA1
eca362a36a86322b2f8da228f363b98d7083095b

SHA256
f67b6a804a2712d92aa67b499c8434ae8c5193d4b598470eba9dd9ff181c83da

SHA512
600725e4208c0efb599e80d678b7d5532c3bad6057c3a6d891b764ce2bcc582e43e94a556d25eb8b91455c2987b56e3f497c2c5d902960033e512900eebbe230

Download Submit
memory/1356-79-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1356-18-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-95-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-19-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-23-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-22-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-27-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-14-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-13-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-45-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-90-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1356-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-84-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1356-83-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1356-82-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1356-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-17-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-11-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1740-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1740-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1888-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1888-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1888-78-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1888-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1888-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2240-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2240-51-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-65-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2240-74-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2472-86-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-48-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/2472-46-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-43-0x00000000001F0000-0x0000000000230000-memory.dmp

Filesize
256KB

Download
memory/2500-87-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2500-47-0x0000000073F90000-0x000000007467E000-memory.dmp

Filesize
6.9MB

Download
memory/2500-44-0x0000000000F20000-0x0000000000F62000-memory.dmp

Filesize
264KB

Download
memory/2864-10-0x00000000001A0000-0x00000000001A4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads