agenttesla | 2ecbb0f12109e26545d19bc42215b7c6884da48e8f59d5954330e7ecfa290b62 | Triage

Analysis

max time kernel
195s
max time network
297s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-04-2024 13:51

Sharing

Report Analysis Logs

General

Target

TNT Original Invoice.scr
Size

697KB
MD5

4aa63ea35a6a68252888080722f2b403
SHA1

63ecde53df066919f84d35926dbea4efc1610b00
SHA256

8f26ff4683a2d8c5dda6b8aff8c4d6b95ffe97c2432b413e0f8f0a0c16c96d32
SHA512

a36aa7db91c5a98964b9285e85d07b255b4449dfd361ef09d8c4a8239c80adf895756c048f9ddc5ef9e35481a490005ace3aa36d1f93a0d59e80edae50ee8aa3
SSDEEP

12288:2+DbgRB778QekIKVkQv77DBpPMJ3aofMw98A/wR0Q+bnEimiQZWOWiP6ZtZbUqu9:vgRB1HbGHfMv0wR0vEJN6vpR+

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5239412158:AAHXn8rC3uvBHy_kv77GtIcxcuvBuXcKD_8/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

TNT Original Invoice.scr

description pid process target process

PID 2024 set thread context of 416 2024 TNT Original Invoice.scr TNT Original Invoice.scr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4324 schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

TNT Original Invoice.scrpowershell.exepowershell.exeTNT Original Invoice.scr

pid	process
2024	TNT Original Invoice.scr
2024	TNT Original Invoice.scr
2024	TNT Original Invoice.scr
2024	TNT Original Invoice.scr
2024	TNT Original Invoice.scr
2024	TNT Original Invoice.scr
1388	powershell.exe
2024	TNT Original Invoice.scr
2100	powershell.exe
416	TNT Original Invoice.scr
416	TNT Original Invoice.scr
2100	powershell.exe
1388	powershell.exe
1388	powershell.exe
2100	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

TNT Original Invoice.scrpowershell.exepowershell.exeTNT Original Invoice.scr

description	pid	process
Token: SeDebugPrivilege	2024	TNT Original Invoice.scr
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	416	TNT Original Invoice.scr

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TNT Original Invoice.scr

pid process

416 TNT Original Invoice.scr

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

TNT Original Invoice.scr

description	pid	process	target process
PID 2024 wrote to memory of 2100	2024	TNT Original Invoice.scr	powershell.exe
PID 2024 wrote to memory of 2100	2024	TNT Original Invoice.scr	powershell.exe
PID 2024 wrote to memory of 2100	2024	TNT Original Invoice.scr	powershell.exe
PID 2024 wrote to memory of 1388	2024	TNT Original Invoice.scr	powershell.exe
PID 2024 wrote to memory of 1388	2024	TNT Original Invoice.scr	powershell.exe
PID 2024 wrote to memory of 1388	2024	TNT Original Invoice.scr	powershell.exe
PID 2024 wrote to memory of 4324	2024	TNT Original Invoice.scr	schtasks.exe
PID 2024 wrote to memory of 4324	2024	TNT Original Invoice.scr	schtasks.exe
PID 2024 wrote to memory of 4324	2024	TNT Original Invoice.scr	schtasks.exe
PID 2024 wrote to memory of 416	2024	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2024 wrote to memory of 416	2024	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2024 wrote to memory of 416	2024	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2024 wrote to memory of 416	2024	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2024 wrote to memory of 416	2024	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2024 wrote to memory of 416	2024	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2024 wrote to memory of 416	2024	TNT Original Invoice.scr	TNT Original Invoice.scr
PID 2024 wrote to memory of 416	2024	TNT Original Invoice.scr	TNT Original Invoice.scr

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QKidaN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QKidaN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBAE4.tmp"
2⤵
- Creates scheduled task(s)
PID:4324

C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr
"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:416

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1d0a68947ad90d88a4d2a377af23e627

SHA1
28d59fe72c9014beb58baad35aa8369dbc31e1ba

SHA256
c17be7ec439f5cadaf2aee5a84b83b12317bb93af87ab613e6aa4d6d86029824

SHA512
a651062d9e8b27704227cf82fd1b27053e5353a19750baa864d5c3e08c0d54fcce53b4a07498eca319c759c5ec1dc6a9dad7dd60973b7e867bf96f3f6541ec42

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cypc4vz5.5es.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBAE4.tmp
Filesize
1KB

MD5
7f7c0a00a71dacf5b6155301467b3e5b

SHA1
b5791651c780fdb513601f0a32f0456c2f057ad2

SHA256
364e65a5cdb975e2f73760b2c83588395ea415f631961204b35a31f9f915306a

SHA512
51b07d61a582c5e3284bbd2781f5db0417ded49b6650cfe858ac465eb442a937a928d508ae90261e12c4ede98b7978d3d081d1f2f707b42690d0980efe05f2aa

Download Submit
memory/416-512-0x00000000060F0000-0x0000000006140000-memory.dmp

Filesize
320KB

Download
memory/416-30-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1388-72-0x0000000070520000-0x000000007056B000-memory.dmp

Filesize
300KB

Download
memory/1388-33-0x0000000007530000-0x0000000007596000-memory.dmp

Filesize
408KB

Download
memory/1388-510-0x00000000736A0000-0x0000000073D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1388-453-0x0000000009750000-0x000000000976A000-memory.dmp

Filesize
104KB

Download
memory/1388-474-0x0000000009740000-0x0000000009748000-memory.dmp

Filesize
32KB

Download
memory/1388-84-0x00000000097B0000-0x0000000009844000-memory.dmp

Filesize
592KB

Download
memory/1388-71-0x0000000009490000-0x00000000094C3000-memory.dmp

Filesize
204KB

Download
memory/1388-73-0x0000000009470000-0x000000000948E000-memory.dmp

Filesize
120KB

Download
memory/1388-35-0x0000000007DE0000-0x0000000008130000-memory.dmp

Filesize
3.3MB

Download
memory/1388-25-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/1388-27-0x00000000736A0000-0x0000000073D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1388-24-0x0000000001100000-0x0000000001110000-memory.dmp

Filesize
64KB

Download
memory/1388-31-0x0000000007C10000-0x0000000007C76000-memory.dmp

Filesize
408KB

Download
memory/1388-29-0x0000000007320000-0x0000000007342000-memory.dmp

Filesize
136KB

Download
memory/2024-9-0x0000000006C40000-0x0000000006CC4000-memory.dmp

Filesize
528KB

Download
memory/2024-2-0x00000000059E0000-0x0000000005EDE000-memory.dmp

Filesize
5.0MB

Download
memory/2024-5-0x00000000055E0000-0x00000000055EA000-memory.dmp

Filesize
40KB

Download
memory/2024-4-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/2024-34-0x00000000736A0000-0x0000000073D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-7-0x0000000005960000-0x000000000596E000-memory.dmp

Filesize
56KB

Download
memory/2024-26-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/2024-8-0x0000000005970000-0x0000000005986000-memory.dmp

Filesize
88KB

Download
memory/2024-3-0x00000000054E0000-0x0000000005572000-memory.dmp

Filesize
584KB

Download
memory/2024-10-0x00000000092A0000-0x000000000933C000-memory.dmp

Filesize
624KB

Download
memory/2024-1-0x00000000736A0000-0x0000000073D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-6-0x0000000005740000-0x0000000005758000-memory.dmp

Filesize
96KB

Download
memory/2024-18-0x00000000736A0000-0x0000000073D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2024-0-0x0000000000B70000-0x0000000000C24000-memory.dmp

Filesize
720KB

Download
memory/2100-19-0x0000000007570000-0x0000000007B98000-memory.dmp

Filesize
6.2MB

Download
memory/2100-83-0x0000000009660000-0x0000000009705000-memory.dmp

Filesize
660KB

Download
memory/2100-17-0x0000000004940000-0x0000000004976000-memory.dmp

Filesize
216KB

Download
memory/2100-38-0x00000000084D0000-0x0000000008546000-memory.dmp

Filesize
472KB

Download
memory/2100-22-0x00000000736A0000-0x0000000073D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-36-0x0000000007F30000-0x0000000007F4C000-memory.dmp

Filesize
112KB

Download
memory/2100-37-0x00000000081E0000-0x000000000822B000-memory.dmp

Filesize
300KB

Download
memory/2100-74-0x0000000070520000-0x000000007056B000-memory.dmp

Filesize
300KB

Download
memory/2100-511-0x00000000736A0000-0x0000000073D8E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-23-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download