agenttesla | 7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5

Analysis

max time kernel
146s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
08/05/2024, 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe
Size

538KB
MD5

a0571911e8977fb94b93b2f0deb45137
SHA1

fce8528ee324b7adb81b73ed909ec1c5e33794ad
SHA256

7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5
SHA512

9a8d21d775b38e91921f0beb8db3a7c97b89b376be51a2d557fab7c898b5448de92838462cba4776196f76aeed5b0091cc8ea21bb231a420c8804aae3813166e
SSDEEP

12288:Wn0AAXRPZuw2l8orxdBv0kdgkSZF8ZF/+PS3Dasb6j8l1PBK:JAAb2Bik2tZFuM63D5WjqI

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
qwbf ljzv fdna xpfx

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
qwbf ljzv fdna xpfx
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Loads dropped DLL 2 IoCs

pid	Process
4476	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe
4476	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
3	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
860	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4476	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe
860	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4476 set thread context of 860	4476	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
860	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe
860	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4476	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
860	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 860	4476	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe	81
PID 4476 wrote to memory of 860	4476	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe	81
PID 4476 wrote to memory of 860	4476	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe	81
PID 4476 wrote to memory of 860	4476	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe	81
PID 4476 wrote to memory of 860	4476	7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe	81

C:\Users\Admin\AppData\Local\Temp\7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe
"C:\Users\Admin\AppData\Local\Temp\7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Users\Admin\AppData\Local\Temp\7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe
  "C:\Users\Admin\AppData\Local\Temp\7c1ceae7d8b4328c35fbdc82116be59ac77d89370b2b0db855e78a79d2d6bed5.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsg498D.tmp

Filesize
52B

MD5
ea70cc86528476e4f1225362996952a6

SHA1
93851680188ae3f06e0b419fa5afe38de41b84eb

SHA256
86ecd210e4942095595b70f160ce629c222229b154e64cf97295beb83ade9f63

SHA512
86c4fe02a63c61776b1cda0bca20e87f97a0103d0e9e914e913a5047d2660a804f18a754029f4d1877010d9027968c20107862da56e0033529f9d58a26cde836

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg498D.tmp

Filesize
54B

MD5
8e69760955a717be873f8253ebc6905b

SHA1
c813b0cc54451465777460ef2f46bc98c273c739

SHA256
3159fb26988fd82c5a652bdf09e65bb021011a4f8953f009c0a7d893149a9c8e

SHA512
16de94f841400aeffd2b67ca45e807da10023229f667f746b8fc7b127c347d843ff51b822191e656a94b63d8c8187c928d40113914d34570136c878b64279600

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg498D.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg498D.tmp

Filesize
11B

MD5
bad78a997013818e85c1091ce1f575e0

SHA1
fa7b6b576c9b365194a222dfd1d3805121544fd3

SHA256
e40f87ab67d67e6a7c1784127b0bdeaa1a053cbc50cbb8155cb469016537513d

SHA512
c2f336b68df9aa5234282eb83c042ff87a0187cbd903739bbcbedd6c30be7807d9cd40f97ccd0196d5bdc84833b796197a832687e99da48f1d370d3875bface4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg498D.tmp

Filesize
19B

MD5
a82a5da452642ddab3a7ee07f7c408df

SHA1
cf937f2e7e57c21beaf57a2b7e0c4b77f37c63f7

SHA256
84911471a6124a186d240b3b67eed83ba5a0a7cb911eefc790712d936c83d568

SHA512
73ed822f62f762e6e8902b4a5c31ea9a0501926d2dd512f5e5285d39fa8b31e82e61294c99c341e0f2046d0cb0351396e8d97afc0ddc71d37c9b680cf757f5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg498D.tmp

Filesize
51B

MD5
25e25dd5339a5ffa3029882c78781ba5

SHA1
4a3f9570af7ac769c1ed9f3f6635610f580f25a2

SHA256
95d99ced3262b6abe20846c575046294e0cace752cab5ab2067c4b78982ab61b

SHA512
7c5ad14c5c038c871576fadd2f7ca1c04425fe7536c0e94e7817197ec43a732369b31ef42ef194c2e44b52dfb55237a3b6a5663e17b106482a7a22f1434f2bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg498D.tmp

Filesize
53B

MD5
6601def372fd604346cc14113dbe6c2f

SHA1
55b5e2406ef28e7c45a60acc6f90795cc088493d

SHA256
f4bf549b30bb96f31c7aec31e319438324daac5f7483e906beadb08ce285bb0c

SHA512
4eae5d296860b66377467aea0e6b6077f2bd993c151c29e2d1428c1d262c49ab4f8ef91cc6a7857f9054a1c86c59f08b8d9168754f5e66f021c2d4a05fffb451

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg49DD.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg4A2D.tmp

Filesize
56B

MD5
e57219d5147cb8918c21a7d88b86c614

SHA1
64c602c9c0084e003cc94e7c2c3a13f525e123e1

SHA256
0250901b65d81e9e1a667a2e9e269724f85f45d9cb94cfe707b537b764a41df2

SHA512
286f7fd8bb8db603ac4eeb16dc86718e91718c4e498fded8eea4bf706c4e63cec2161800f60f67bd2bd6dcd60015cb3f46fd9c99f98715fdf73d428b963ee100

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl49FD.tmp

Filesize
20B

MD5
981d979ec49cb64b078f50013c191acd

SHA1
18f103644da4913b96391b7d457ded5706e4d0f2

SHA256
f4e95849a9bf43f048e70b6beb4716762d41fd3efcb59bc58923386a6e3aeb5b

SHA512
d2901d088095cfb15227db5b49f510591e3480be1d4bd16991e794347657bcc4e1e940834961a09d9eaf48c3224886b850973a8eff9cd3ee74f7eec622bb6eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl49FD.tmp

Filesize
60B

MD5
98b5cbda2eee757c64c0a37581a2242e

SHA1
0299d8182adeccf47ff2cb1ca1d146b61478a236

SHA256
b65159dfd5ab684ea4c7af9f5a8c37d26d62bccfbc603fc89fdbc77b0b1702ab

SHA512
50ffab70da4ac2af26d9134eba6823684ba22bead90c8afb4380fdcf5dae931c2bc2231dc668b5203b8946046983fbd9893d3f7a26fcad1c9772c808e3b9e406

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4B38.tmp

Filesize
25B

MD5
8862560e881d6575fee3adfb711d1c11

SHA1
b936ab218e307ea1dd7da7e3f3e0f727f15ee80d

SHA256
b06ac7eb718baa0f71c83a46cf55b5a1368d93fd3e2007fc6047b4854f3090fe

SHA512
4ddd950a2da0b1c9fecf29fa48d1ac1847f4461bca2fc58f38d2af44657f810e07a8383878dc06a803d5ac77450f5fc90865551f7aea85b48ca97eb0022228b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4B38.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq49CC.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
memory/860-579-0x0000000038310000-0x00000000388B6000-memory.dmp

Filesize
5.6MB

Download
memory/860-582-0x0000000039300000-0x000000003939C000-memory.dmp

Filesize
624KB

Download
memory/860-574-0x00007FFE2B2A0000-0x00007FFE2B4A9000-memory.dmp

Filesize
2.0MB

Download
memory/860-575-0x0000000000450000-0x0000000001767000-memory.dmp

Filesize
19.1MB

Download
memory/860-576-0x00007FFE2B2A0000-0x00007FFE2B4A9000-memory.dmp

Filesize
2.0MB

Download
memory/860-577-0x00007FFE2B2A0000-0x00007FFE2B4A9000-memory.dmp

Filesize
2.0MB

Download
memory/860-578-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/860-586-0x00007FFE2B2A0000-0x00007FFE2B4A9000-memory.dmp

Filesize
2.0MB

Download
memory/860-580-0x0000000038260000-0x00000000382C6000-memory.dmp

Filesize
408KB

Download
memory/860-581-0x00000000392A0000-0x00000000392F0000-memory.dmp

Filesize
320KB

Download
memory/860-584-0x0000000039630000-0x000000003963A000-memory.dmp

Filesize
40KB

Download
memory/860-583-0x0000000039420000-0x00000000394B2000-memory.dmp

Filesize
584KB

Download
memory/4476-573-0x00007FFE2B2A0000-0x00007FFE2B4A9000-memory.dmp

Filesize
2.0MB

Download
memory/4476-572-0x00007FFE2B2A1000-0x00007FFE2B3CA000-memory.dmp

Filesize
1.2MB

Download