agenttesla | 9bf56ab43a909ec49299e2e2d27a7418cb8c5b0b1369015dad171aaebabd509b

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wmss.exe
Size

670KB
MD5

a0a76a3cb895af970be13cca6504e378
SHA1

dd554c3c7f784a7e0be22ee657791224c0bf6a1c
SHA256

9bf56ab43a909ec49299e2e2d27a7418cb8c5b0b1369015dad171aaebabd509b
SHA512

5e28ff39e2c11160f286ab67159b3e3975e7b0f979369cc3a67ef450a7dac7536be5cfae2742405ebcfae54e695cddb54c28379c20478e881117d8a90dba11ff
SSDEEP

12288:v1zHj5QmY+pTUXzmXC+DEh3LAH3xCeZy5+Ksj:v1rjex+wmy+DEtUHhCAy51

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.synergyinnovationsgroup.com
Port:
587
Username:
[email protected]
Password:
C@p-Y8BoHc#?
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
4592	wmss.exe
4592	wmss.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\kaleb.ini	wmss.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4836	wmss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4592	wmss.exe
4836	wmss.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4592 set thread context of 4836	4592	wmss.exe	93

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\skitserer.ini	wmss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4836	wmss.exe
4836	wmss.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4592	wmss.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	wmss.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 4836	4592	wmss.exe	93
PID 4592 wrote to memory of 4836	4592	wmss.exe	93
PID 4592 wrote to memory of 4836	4592	wmss.exe	93
PID 4592 wrote to memory of 4836	4592	wmss.exe	93
PID 4592 wrote to memory of 4836	4592	wmss.exe	93

C:\Users\Admin\AppData\Local\Temp\wmss.exe
"C:\Users\Admin\AppData\Local\Temp\wmss.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\wmss.exe
  "C:\Users\Admin\AppData\Local\Temp\wmss.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa3C00.tmp

Filesize
57B

MD5
0b66f70a086797e3c9d810089c376755

SHA1
aa9a99dcae2c50513922413999a555bc89af69b1

SHA256
80eb66b392cf670bb4afede5a57488fc9e9166f9a8c492f290d150c834e1e6aa

SHA512
83461cf2e760708cbdf9a083594c63f55e4b2d90166d5ba3b3f06e1e35e3b9be2c6d1a97da5b7ac04a444d4c6ab04da11adf8a0a1a268597c1e6f3022c8445f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa3C00.tmp

Filesize
20B

MD5
9111ba1d1ceb4b7f775d74730aac363e

SHA1
c0af4968c775735be12419b60b257ed4359cb9b2

SHA256
0883f5bab7d5dafd9efec59b917070f5d051f50b047951d1ea87dab27fef7b91

SHA512
836c5d3941109691f2589e317e10d661978d9fc4af435bde3467159913ff9192d6eab1efe3e50e2048d06ce0c85963efe1ac056e1fd6ff1d33ac05f25beabbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa3C00.tmp

Filesize
25B

MD5
d584d82e5221c4884dc3062781421038

SHA1
d8a56398883028032d6fc1c8630b8a8479127277

SHA256
f8d9811bb3d103f15ec0af4c4dea41769bcfb128bb961445461efa233772902a

SHA512
071d0f71114e7a0bb94ec3886fe1b9823ab2740b1509c755c8a08f40e4aeb5f04186722ae8a39ae8b66fc35ce4fc5cdee998bd6b85215cb02ef041366645f076

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3C11.tmp\System.dll

Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3D4A.tmp

Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3D4A.tmp

Filesize
30B

MD5
f7bcbbddb5cb20fdfce72f842cacabe1

SHA1
031c00c0eb114ed2234679c39cb34fdbb9debfb3

SHA256
35dad955ee2ccfe66eb80d670721acf7f83915f1204f07d449aace9c9ca1f2e3

SHA512
2bdb271d96cece4289dec71c02b30a64e509e1e93f25168fd78c72b8197937cc398df0ece30dabc2253129621b8108ed38fa9b2ced12e70ff3f9c5f8ae7b0b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3D4A.tmp

Filesize
33B

MD5
d0c16d35895f4a76cb4fa85fc11c6842

SHA1
61d36c5b3fd3f0772608359b7ed9890b0474aee0

SHA256
d6063a46a92e1a2600bb31588a58cf906711aaaa1813e593c191da5881b46a59

SHA512
3595c1578f0c1a2d47d75f2c5260bd7b85551501c94a0abf609752e04e2e9f1f9d7a19f654d803a0c65d40d4b74dfb32d31bd88a9b8813e7466b914d2b800951

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3D4A.tmp

Filesize
34B

MD5
2a9c98ea1aa7a05604ab51073fcd45c7

SHA1
3f970ebeb4f5ef40f8bb1e16d64ab410c3af3962

SHA256
ba493b1e2704c417662224230bffa2effae24f9fbf8c56a7bcb93ac02bc2abd9

SHA512
fe999f6186c4bb20113cfdddba193cf777941a9ce223f0c6d8f85dc5e2668df6f820922d7b75f255ec2d5355f1881f3867686363f4c5f630ffa8b48b079d7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3E36.tmp

Filesize
1B

MD5
8ce4b16b22b58894aa86c421e8759df3

SHA1
13fbd79c3d390e5d6585a21e11ff5ec1970cff0c

SHA256
8254c329a92850f6d539dd376f4816ee2764517da5e0235514af433164480d7a

SHA512
2af8a9104b3f64ed640d8c7e298d2d480f03a3610cbc2b33474321ec59024a48592ea8545e41e09d5d1108759df48ede0054f225df39d4f0f312450e0aa9dd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3E36.tmp

Filesize
4B

MD5
cde63b34c142af0a38cbe83791c964f8

SHA1
ece2b194b486118b40ad12c1f0e9425dd0672424

SHA256
65e2d70166c9a802b7ad2a87129b8945f083e5f268878790a9d1f1c03f47938d

SHA512
0559d3d34ad64ccc27e685431c24fc6ead0f645db14fa0e125a64fb67dbd158c15432c1fc5407811aac8a3486090dfbcfcbc3c6bf5aa0ec73f979ef62d14853c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3E36.tmp

Filesize
15B

MD5
03789c00a9fe96c420d84fe30cbd902c

SHA1
c3e589ccd78b4e000d7d294a0d308dfd385a1f43

SHA256
b157a4d58f55726c15605ad776c9c961b28e1ce295d3ebcbad6ac80e5f2c9503

SHA512
16b8866f73666e76b5fd8e04d362a9907accee835e2814197829a06b6f8442ca2ac6aef98960afcaedf64ad403e53374eb59746716dd5b4257d26d4ebfff72a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3E36.tmp

Filesize
22B

MD5
1a976b081f77c04dad951286222ed3da

SHA1
1fd2c47eab6b8b5ee42fee2f8238bd065881d99d

SHA256
d7c42493656ae25d5a3ff0b7fa739e43557d2c54a82833c8782ddbe8d364816d

SHA512
e087d4f397761e3525241f2610f8be1bd46533905fc0bf39435127e1341c1f4c21fc1d2f1b213d78b0505d8bafbc4f797b85537601a0f186850457d3d2847a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm3E36.tmp

Filesize
47B

MD5
2006f4deacd72f4dbd80af059a00026e

SHA1
e935054dac0261b7d5bebfc54fc93cc56b5f9db7

SHA256
98baff73ffc47546f3c688cc5ec49378d01dc4de02e4cac34948e649505f4862

SHA512
dc99d3b89e14c5e03999d2f7a58b7bd8087e782a0731b2ba849a1184e87fcff1f9b272e0bd6a95ca8cb2dc000498272190f9c971f7b3217e4f65f96945753b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn405B.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3F40.tmp

Filesize
2B

MD5
25bc6654798eb508fa0b6343212a74fe

SHA1
15d5e1d3b948fd5986aaff7d9419b5e52c75fc93

SHA256
8e5202705183bd3a20a29e224499b0f77a8273ee33cd93cca71043c57ad4bdfc

SHA512
5868c6241ed3cfcc5c34bfe42e4b9f5c69e74975e524771d8c9f35cafc13fd01cd943ec4d8caefee79a1f4a457e69d20b7a86f88db83a5bc3e6bd8a619972898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3F40.tmp

Filesize
10B

MD5
9a53fc1d7126c5e7c81bb5c15b15537b

SHA1
e2d13e0fa37de4c98f30c728210d6afafbb2b000

SHA256
a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

SHA512
b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3F40.tmp

Filesize
37B

MD5
5ef4248435764afff735ebfe5980ed85

SHA1
6dd5e8faa97c1d44f0b893b3c4453b01355e606f

SHA256
a0bfbeb9751eb45d0863fac09c62a089d2440f94fec774efa9ef4c3410a78c7a

SHA512
8c2c015281e8017e16290bec1f60f1d1b141c9c126384358691ee4814288f51b6f509a0da8278a0816bb44590d3c8c0a3b2ce26f453da3c718a822ade871fb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3F40.tmp

Filesize
52B

MD5
c80074a795f60d394997819a86a5cb1c

SHA1
7d836f0fce0646bcedb226728c0d0344e58343ab

SHA256
609e7e024f9c44ad40a00b95da4e55d5fec33a7ede4df7faf6cbdade29c80e2f

SHA512
6674f2a3f2239233e1729b6769631284622a28b0c5c99e27a41b0e3e5e2aa6c11cc0222c5faf1434a2aa838f114e7c08d380aaeaf2dd7fec336dc22c6d14a2c3

Download Submit
C:\Windows\SysWOW64\kaleb.ini

Filesize
45B

MD5
9dfd97e7025bf54441fe6759f87e5ddf

SHA1
0f04ae6a7bc2213255fc72898f339b12bd743f24

SHA256
eea1bdc93e5a8fcbca0aea236d83b487ad2af028095a0d0107f02d397b4372fb

SHA512
08ea09b23814906f040060b46d919d45f6aee0c96b27d0baa88813bc46032c274546adb89e354b78f659c962a8588adbbd49966951e1f1b097e2484a07678f44

Download Submit
memory/4592-839-0x00000000041F0000-0x0000000005B63000-memory.dmp

Filesize
25.4MB

Download
memory/4592-840-0x0000000077C51000-0x0000000077D71000-memory.dmp

Filesize
1.1MB

Download
memory/4592-841-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/4592-849-0x00000000041F0000-0x0000000005B63000-memory.dmp

Filesize
25.4MB

Download
memory/4592-843-0x00000000041F0000-0x0000000005B63000-memory.dmp

Filesize
25.4MB

Download
memory/4836-844-0x0000000077CD8000-0x0000000077CD9000-memory.dmp

Filesize
4KB

Download
memory/4836-845-0x0000000077CF5000-0x0000000077CF6000-memory.dmp

Filesize
4KB

Download
memory/4836-846-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/4836-847-0x00000000004A0000-0x00000000004E0000-memory.dmp

Filesize
256KB

Download
memory/4836-842-0x0000000001700000-0x0000000003073000-memory.dmp

Filesize
25.4MB

Download
memory/4836-848-0x0000000035A60000-0x0000000036004000-memory.dmp

Filesize
5.6MB

Download
memory/4836-850-0x00000000359B0000-0x0000000035A16000-memory.dmp

Filesize
408KB

Download
memory/4836-852-0x00000000364C0000-0x0000000036510000-memory.dmp

Filesize
320KB

Download
memory/4836-853-0x0000000036510000-0x00000000365A2000-memory.dmp

Filesize
584KB

Download
memory/4836-854-0x00000000365F0000-0x00000000365FA000-memory.dmp

Filesize
40KB

Download
memory/4836-856-0x0000000001700000-0x0000000003073000-memory.dmp

Filesize
25.4MB

Download
memory/4836-857-0x0000000077C51000-0x0000000077D71000-memory.dmp

Filesize
1.1MB

Download