agenttesla | c26d121b096af68fc785a4e7fbd821c0c63a64abd2a64c9abf237fe98d0ddf42

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSK203.exe
Size

495KB
MD5

672127d627b0d1ffdc8f4f6a7f6a4697
SHA1

965c08f135e270201ca61122955104c0de39ad9f
SHA256

c26d121b096af68fc785a4e7fbd821c0c63a64abd2a64c9abf237fe98d0ddf42
SHA512

f3e6c7837c767944d7e14cac75e5844fa217cfdc3d6dcae575a7d0ad2740617cce9e53e6b28f947114708361570972150737c9c1e3663b5b3ee9fd55a2d6a746
SSDEEP

12288:Pbm37Owct5ERd1ZRad1I5eA2bZxeyCNNrmj:Pbms5EP1CAsZxse

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6859247669:AAER1Rty_3TqZr1VmGGzXWMbtAZFtnPCWCU/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Loads dropped DLL 2 IoCs

Processes:

MSK203.exe

pid process

4856 MSK203.exe
4856 MSK203.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 api.ipify.org
24 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

MSK203.exe

pid process

264 MSK203.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

MSK203.exeMSK203.exe

pid process

4856 MSK203.exe
264 MSK203.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSK203.exe

description pid process target process

PID 4856 set thread context of 264 4856 MSK203.exe MSK203.exe
Drops file in Windows directory 1 IoCs

Processes:

MSK203.exe

description ioc process

File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi MSK203.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSK203.exe

pid process

264 MSK203.exe
264 MSK203.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MSK203.exe

pid process

4856 MSK203.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSK203.exe

description pid process

Token: SeDebugPrivilege 264 MSK203.exe

pid	process
4856	MSK203.exe
4856	MSK203.exe

flow	ioc
25	api.ipify.org
24	api.ipify.org

pid	process
264	MSK203.exe

pid	process
4856	MSK203.exe
264	MSK203.exe

description	pid	process	target process
PID 4856 set thread context of 264	4856	MSK203.exe	MSK203.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	MSK203.exe

pid	process
264	MSK203.exe
264	MSK203.exe

pid	process
4856	MSK203.exe

description	pid	process
Token: SeDebugPrivilege	264	MSK203.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSK203.exe

description	pid	process	target process
PID 4856 wrote to memory of 264	4856	MSK203.exe	MSK203.exe
PID 4856 wrote to memory of 264	4856	MSK203.exe	MSK203.exe
PID 4856 wrote to memory of 264	4856	MSK203.exe	MSK203.exe
PID 4856 wrote to memory of 264	4856	MSK203.exe	MSK203.exe
PID 4856 wrote to memory of 264	4856	MSK203.exe	MSK203.exe

C:\Users\Admin\AppData\Local\Temp\MSK203.exe
"C:\Users\Admin\AppData\Local\Temp\MSK203.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\MSK203.exe
  "C:\Users\Admin\AppData\Local\Temp\MSK203.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc2618.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc2619.tmp

Filesize
45B

MD5
34d32f9b446e46883ec3157794403748

SHA1
e797e81a28e395ea751871b21e638e43d62d0f61

SHA256
a66d886953526d5601da515e1aa53a3f8cbc829aedd557cdf4d0f9573793486e

SHA512
48b0f49ca3604f5a21cb2b850ac19771a17e0fa03cf0b3d6e616e330f136c71dcc623ac36b5b801c4fda203327290b8e3f5ec01a0ea546a87c2ae89a88b74ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc2619.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc2669.tmp

Filesize
47B

MD5
404b93a1dab1c4253a40a1c056dd65c2

SHA1
92e6feb269bdd27189f5497813056eddd2f73688

SHA256
8c62bd50f059ad9bcd19b76646f083dbd701d38ebfdc9f3ad0ac3759760fc976

SHA512
d36c664b16e4b6504ba3ce567d818aac5e65b2f4f6fef9afd8077f5844616032cfe4e4c3c0eb0a85fd711a0451aa964a9db9c86dd827df6cf243dbf5cdb6ade7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc2669.tmp

Filesize
56B

MD5
2c77bbd52333e4144ba070082eac42d6

SHA1
d5570ca72f198bd75e1f0d241f0dd69986877ea4

SHA256
54695e5022b16a8b57b4995eabb2d2b2212e0f3fc6ddad15cb2bbc5798fa3c04

SHA512
c800b128aee9e19cfa614be129deed3a440263ff5b58d801e4929ceebf5a930eba8efe948c70e163294a4dabe993a6dcc24f3ca3cef859877da852919dce4162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh25E8.tmp

Filesize
69B

MD5
3f9d86b820955195e9467112480c175c

SHA1
c9b53af6ff79125000b5aee2afb33ce6575d4d31

SHA256
ab4b36271e68b6e5b546158733c5450e775242021442a40bec4e42838eecca53

SHA512
ed78bd4b7b9b953bf73b1156872864b68ba1b46b3c2e5d21c56766217ec8b70e6421796a9d31716a94d62d81cf7a2c9f83735ea7c229881d4845c70364b77a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh25E8.tmp

Filesize
53B

MD5
6601def372fd604346cc14113dbe6c2f

SHA1
55b5e2406ef28e7c45a60acc6f90795cc088493d

SHA256
f4bf549b30bb96f31c7aec31e319438324daac5f7483e906beadb08ce285bb0c

SHA512
4eae5d296860b66377467aea0e6b6077f2bd993c151c29e2d1428c1d262c49ab4f8ef91cc6a7857f9054a1c86c59f08b8d9168754f5e66f021c2d4a05fffb451

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh25E8.tmp

Filesize
70B

MD5
f603843c4b1146c576a2c9e0826de265

SHA1
5de71ba33c20cfb74c19c706a4a44706d78fb102

SHA256
ada9d1ffc0e78d2e2c05290b4ba1b1b04bc9c97a8f8e084ae0d49e36a9bb9c0c

SHA512
7a5a8ebc1c12193783ae711eb4716c1a2e52d1c4799dcd7f2a29924c246b1c665f456de3eaffd5e9cd7f42e788009e2798d1121c8d695698c86349bff17d5e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh25E8.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh2725.tmp

Filesize
12B

MD5
09d54140ca4897a5dc46fec5c04cb530

SHA1
5f528588450ff2d2119ccb7bbd651dc4a75ed8a4

SHA256
b7d98304a9d2f018fb3187cb06ec6c706412af7bee852eb48d23dde3e410a917

SHA512
a8931cfef08e50c9fbed7dcf96eadfd0ff23c0852a05c922c1eb019333ecf8586cc2c1b2f1d2588d5c0aa733b151c72ad3b203280979c54dfa74e773876e1f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh2725.tmp

Filesize
17B

MD5
e3e52271695d789252499380bab83be2

SHA1
a87dda09a98f8ed7ada5db378914743c76acee6f

SHA256
96f0ffcdf2308d036f51f1fad5fb1e501f7137ab3c010c165210530c105d9be4

SHA512
57f2aa081f3b2c756861dbab5296c1f143026b2f178b45746411fa6e0852fbf0106415801ae99d5d30fecc944296b453fb1b258e9df2f6669c0a8fb6d4a780aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh2725.tmp

Filesize
23B

MD5
742d3f392842fd0a5ebecea567c2af34

SHA1
b680bc716a2b53ef6af5edcbf222e6ac2606e1e8

SHA256
c7c952a7580d506f694240eb56e705a182561523c14116ab5aab1c2c87f886bf

SHA512
1642176efc91de80dd89412d982f8c9b1b53a0c96067fdbb70cc04a94c0d37d18caee0bdfab9666930af4e50ad37fdb5335e58c210b67fa59420044d4130aedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh2725.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx2649.tmp

Filesize
13B

MD5
1783e9a8f74ea827208a35b5a8c0c0b4

SHA1
68913138931e5d1cdf495708cf86d082454dc6cf

SHA256
20ed8777c986040dba3187aab791c6df6f87f42c3002b15bcc8bfa9718d842e8

SHA512
8da8702b8e97de4d9cd9c294574e10363e34f3cf7796b1e2c78be543a482472922be3d75a716c67b63a291b898528531c132553ef20174ea99eb3bd37ac3608b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx2649.tmp

Filesize
15B

MD5
03789c00a9fe96c420d84fe30cbd902c

SHA1
c3e589ccd78b4e000d7d294a0d308dfd385a1f43

SHA256
b157a4d58f55726c15605ad776c9c961b28e1ce295d3ebcbad6ac80e5f2c9503

SHA512
16b8866f73666e76b5fd8e04d362a9907accee835e2814197829a06b6f8442ca2ac6aef98960afcaedf64ad403e53374eb59746716dd5b4257d26d4ebfff72a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx2649.tmp

Filesize
27B

MD5
a4fef08db3bf7402436db287f01bb2fc

SHA1
66c9356fcc83fdda2e04821fa06ab8bee4f26720

SHA256
92bbc71aa04b34f3d6666861e615244db3d3be6f1287b3947115ea9d0e98a5d7

SHA512
3da695803076c9b338d9fac3d9da91ac8e0f8b4fb28665ad175325684a5688e83f56bff62766d99583ea9b2a0e394ad64f4fff3fc45b3fe154e6b4026ef7a44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx2649.tmp

Filesize
32B

MD5
a9a74595348b4a93b3a30bf42998610f

SHA1
ed9f656eae407e09455daa884b3bd25824a007f1

SHA256
a65b32f25f6401bb88c26d40f7517149a03f585619d056cf583b0d0a2f3fe21b

SHA512
35a8bb75a88a0152cfe260a76a120452877eeea953572ccda2bdacc29bd72740838efcf3ff6f02c691153a3779cb65c2763ed54972532395dc1b197a2ea902eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx2649.tmp

Filesize
60B

MD5
6905490802a6c440fab7bc3299682016

SHA1
7212e3db4f3387c8ff2daee9a94067db11a218be

SHA256
0fc3d8084bd0470747f5e0ecb10127bbf64b1b7618ab5a819db38e4b839d3451

SHA512
fcf7b1927605f76bd61d0f5c467b040f210d37ae99477f1a1984cc84037c2b7b461c668e1ba993dcb4e9393c2c7a16ac2b42ba2e97d4e18121ba18d800a04a1d

Download Submit
memory/264-585-0x0000000035F30000-0x0000000035F96000-memory.dmp

Filesize
408KB

Download
memory/264-589-0x00000000391F0000-0x0000000039282000-memory.dmp

Filesize
584KB

Download
memory/264-577-0x0000000077AE8000-0x0000000077AE9000-memory.dmp

Filesize
4KB

Download
memory/264-578-0x0000000077B05000-0x0000000077B06000-memory.dmp

Filesize
4KB

Download
memory/264-579-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/264-581-0x0000000077A61000-0x0000000077B81000-memory.dmp

Filesize
1.1MB

Download
memory/264-582-0x000000007231E000-0x000000007231F000-memory.dmp

Filesize
4KB

Download
memory/264-583-0x0000000000470000-0x00000000004B4000-memory.dmp

Filesize
272KB

Download
memory/264-584-0x0000000038140000-0x00000000386E4000-memory.dmp

Filesize
5.6MB

Download
memory/264-595-0x0000000072310000-0x0000000072AC0000-memory.dmp

Filesize
7.7MB

Download
memory/264-586-0x0000000072310000-0x0000000072AC0000-memory.dmp

Filesize
7.7MB

Download
memory/264-587-0x00000000390F0000-0x0000000039140000-memory.dmp

Filesize
320KB

Download
memory/264-588-0x0000000039150000-0x00000000391EC000-memory.dmp

Filesize
624KB

Download
memory/264-594-0x000000007231E000-0x000000007231F000-memory.dmp

Filesize
4KB

Download
memory/264-590-0x00000000392E0000-0x00000000392EA000-memory.dmp

Filesize
40KB

Download
memory/264-592-0x0000000077A61000-0x0000000077B81000-memory.dmp

Filesize
1.1MB

Download
memory/4856-576-0x00000000748C5000-0x00000000748C6000-memory.dmp

Filesize
4KB

Download
memory/4856-575-0x0000000077A61000-0x0000000077B81000-memory.dmp

Filesize
1.1MB

Download