agenttesla | 035f44cce07f951f0c65f1431efbdb466cde75e78335fdb9914c78a9343875c2

General

Target

Phoenix/Phoenix.exe
Size

5.6MB
MD5

1e09922d9ebca4374a64998bc0949bde
SHA1

474e620e852339cf01c44721d6f8663144d4ebd1
SHA256

539635d689f2d880bf0e29b6fbc95fa7df68d7d818e0096fba7a8700846a4dc3
SHA512

07f63b8bf6e2b4781d859e7a3dc6d85209709ad32c74d68789a435972200c78404d5fdfbc23cd4cb9783d2bacb707b88ef88aed38f0a7a9faf56b2b3ccd6b748
SSDEEP

98304:iDVt2sjC7YM1eqh85elVOlVdsOdlVdsO3BbBWIgWljGxRB/LL8pVds+:7siYM0qh85eli4xRBj

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral10/memory/3508-4-0x00000185F1040000-0x00000185F1252000-memory.dmp	family_agenttesla

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

1 discord.com
2 discord.com
6 discord.com
15 discord.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
1	discord.com
2	discord.com
6	discord.com
15	discord.com

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exePhoenix.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Phoenix.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Phoenix.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Phoenix.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2994005945-4089876968-1367784197-1000\{100E9998-4A8A-4139-89C6-555ADE851C98}	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

2040 msedge.exe
2040 msedge.exe
2252 msedge.exe
2252 msedge.exe
4800 msedge.exe
4800 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

2252 msedge.exe
2252 msedge.exe
2252 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Phoenix.exe

description pid process

Token: SeDebugPrivilege 3508 Phoenix.exe

pid	process
2040	msedge.exe
2040	msedge.exe
2252	msedge.exe
2252	msedge.exe
4800	msedge.exe
4800	msedge.exe

description	pid	process
Token: SeDebugPrivilege	3508	Phoenix.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe
2252	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Phoenix.exemsedge.exe

description	pid	process	target process
PID 3508 wrote to memory of 2252	3508	Phoenix.exe	msedge.exe
PID 3508 wrote to memory of 2252	3508	Phoenix.exe	msedge.exe
PID 2252 wrote to memory of 4500	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 4500	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2340	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2040	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 2040	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe
PID 2252 wrote to memory of 1672	2252	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Phoenix\Phoenix.exe
"C:\Users\Admin\AppData\Local\Temp\Phoenix\Phoenix.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dsc.gg/phoenix-nuker
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85c343cb8,0x7ff85c343cc8,0x7ff85c343cd8
3⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,8976473750770486766,18307831395906152082,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
3⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,8976473750770486766,18307831395906152082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,8976473750770486766,18307831395906152082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
3⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8976473750770486766,18307831395906152082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
3⤵
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8976473750770486766,18307831395906152082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
3⤵
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,8976473750770486766,18307831395906152082,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
3⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,8976473750770486766,18307831395906152082,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4748 /prefetch:8
3⤵
PID:2884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,8976473750770486766,18307831395906152082,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4744 /prefetch:8
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c5042350ee7871ccbfdc856bde96f3f

SHA1
90222f176bc96ec17d1bdad2d31bc994c000900c

SHA256
b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b

SHA512
2efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e027def9b55f3d49cde9fb82beba238

SHA1
64baabd8454c210162cbc3a90d6a2daaf87d856a

SHA256
9816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83

SHA512
a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
eb12da4dfc0f8243b61266c9f6941407

SHA1
7e4475842990cfd46bebea10931352d2d07e5c61

SHA256
4e19c3ae67016d5de0ffc0ed3a003e29fac4f4e0c2c9bec6ecb2d1a202eb178f

SHA512
b0e0644bee5c0529f292167ef4b7b5670408b756d321bb01e1f6379063c2b3d6766df65510b731e950c057987c9d4d120fe72364fe3089e56aaf5e1c1e32b96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
377B

MD5
f8a8ce46d2024c359d02bc7c1586aa1f

SHA1
c1309fbc5971f827eebc1c1d7c2ef4a14a772100

SHA256
9677df63235bd92f8d44a08603bbe7b9d690573fbfa8f9b79456996225d86321

SHA512
42dc0ea62f8afa4be4f077112e529cabf7054dfe5a3004f67c1a263643897e3ec8bdfe3fe3a9e3ec6e17cececc990bc7756df530d7258330acd626430c223bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
923502825b40fdf5489e142b19046e7f

SHA1
5d8a8ad62a2dc7767953d16f29b2d22410f335b2

SHA256
e17cdd927100f5523df22ea15672dc8c09f919096b0287eabd96a19efe1fae0f

SHA512
db94bd44499fa5cbfe93870948e198c9f88126f502392546d8086ced09e73065166979d33b38acecfa404a8f6eef0e4107eab501ef5352ab8ef0593d4ac043cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
deb210acff667909b4d383e089c6bb41

SHA1
c59579caf2d05be8cea4e7b20a27c4574312fcbf

SHA256
ee77f90529c511f747eb5da0f51ed2f5ab13304f7bc5dd71cf9308f7398a297c

SHA512
20ad2abf67f86dc6d7134f5f91c10f49302a0a995eda5f92ad03cae72b0dcb20367600f2b356598d2193e9595f46c53e427c175140438c050c575187f822801c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2d023bf108eafc69f6dc81aa137ae782

SHA1
e938ce7560f0339295bdf4db0d061628996a7209

SHA256
04c1d32e31d9c1e3d7aa4ef1e9a471a3e9bb4edc850485f500efa782022b21e3

SHA512
bc4a5817af12666e2356963f4188ef46bdac80df31f45c8640a6fb8164a26bad89d1b69e354e8d337257818b0b884451cfc76cdb9e63e51f0f9b296172ace67f

Download Submit
\??\pipe\LOCAL\crashpad_2252_PQCRPJVXKWXOIAAF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3508-4-0x00000185F1040000-0x00000185F1252000-memory.dmp

Filesize
2.1MB

Download
memory/3508-10-0x00000185F0E10000-0x00000185F0E20000-memory.dmp

Filesize
64KB

Download
memory/3508-2-0x00000185EE9A0000-0x00000185EE9A1000-memory.dmp

Filesize
4KB

Download
memory/3508-0-0x00000185EDC10000-0x00000185EE59C000-memory.dmp

Filesize
9.5MB

Download
memory/3508-6-0x00000185F1260000-0x00000185F1312000-memory.dmp

Filesize
712KB

Download
memory/3508-8-0x00000185F0E10000-0x00000185F0E20000-memory.dmp

Filesize
64KB

Download
memory/3508-5-0x00000185EE9F0000-0x00000185EEA0A000-memory.dmp

Filesize
104KB

Download
memory/3508-7-0x00000185EEAF0000-0x00000185EEB66000-memory.dmp

Filesize
472KB

Download
memory/3508-178-0x00000185F0E10000-0x00000185F0E20000-memory.dmp

Filesize
64KB

Download
memory/3508-9-0x00000185F0E10000-0x00000185F0E20000-memory.dmp

Filesize
64KB

Download
memory/3508-11-0x00000185F0E10000-0x00000185F0E20000-memory.dmp

Filesize
64KB

Download
memory/3508-1-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmp

Filesize
10.8MB

Download
memory/3508-173-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmp

Filesize
10.8MB

Download
memory/3508-174-0x00000185F0E10000-0x00000185F0E20000-memory.dmp

Filesize
64KB

Download
memory/3508-175-0x00000185F0E10000-0x00000185F0E20000-memory.dmp

Filesize
64KB

Download
memory/3508-176-0x00000185F0E10000-0x00000185F0E20000-memory.dmp

Filesize
64KB

Download
memory/3508-177-0x00000185F0E10000-0x00000185F0E20000-memory.dmp

Filesize
64KB

Download
memory/3508-3-0x00000185F0C50000-0x00000185F0CFE000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads