agenttesla | cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
Size

498KB
MD5

b616cc8c02b88cff3a1d36ab29673399
SHA1

34689314dda15bd7e84fb84e4cf09749f548bdd3
SHA256

cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56
SHA512

21ed90d8b55b780c6dfd95e5ff6aab8fcd4818a7d199160532f43630ce4d97ccfc54a5624665c7a811b4c2ee9dba16488343181ce972d1bac3ce5aa8428121a3
SSDEEP

12288:abmJMxaP3/NCDptpDcC69kq6YX/ir+KY+1Nrmz:abm3PNC/6kq6YvirbYP

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.synergyinnovationsgroup.com
Port:
587
Username:
[email protected]
Password:
C@p-Y8BoHc#?
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Loads dropped DLL 2 IoCs

Processes:

cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

pid	process
764	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
764	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

pid process

2580 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.execd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

pid	process
764	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
2580	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

description	pid	process	target process
PID 764 set thread context of 2580	764	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

Drops file in Windows directory 1 IoCs

Processes:

cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

pid	process
2580	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
2580	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
2580	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

pid process

764 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

description pid process

Token: SeDebugPrivilege 2580 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

description	pid	process
Token: SeDebugPrivilege	2580	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

description	pid	process	target process
PID 764 wrote to memory of 2580	764	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
PID 764 wrote to memory of 2580	764	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
PID 764 wrote to memory of 2580	764	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
PID 764 wrote to memory of 2580	764	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
PID 764 wrote to memory of 2580	764	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe	cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe

C:\Users\Admin\AppData\Local\Temp\cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
"C:\Users\Admin\AppData\Local\Temp\cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
  "C:\Users\Admin\AppData\Local\Temp\cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4116,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
1⤵
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsfF83D.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfF9C7.tmp

Filesize
5B

MD5
92877af70a45fd6a2ed7fe81e1236b78

SHA1
0b7f849446d3383546d15a480966084442cd2193

SHA256
5860faf02b6bc6222ba5aca523560f0e364ccd8b67bee486fe8bf7c01d492ccb

SHA512
8ac4145c8e388ddfe3cd94886f026260d917cab07903c533f3a26945019bc4a50e6f23f266acbb0cbae89130fa3242c9a5145e4218c3ef1deebccb58d1a64a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfF9C7.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF80D.tmp

Filesize
27B

MD5
b93641813851b1ad166b8163e5aeddc9

SHA1
642d989ceea62bcfd70fb74f3c62ade0c1c41d78

SHA256
1628c6bee5afc85044309f45e34190bc9ce8bd9516e30792460e14362657d42d

SHA512
eee31a0d51df3a7ba35ab4025f8d458c4d12b6f46412982ad34aef31d9e83c7070056a07777ed4b62fb3b92b376b618099374901ffe4f988fe0f853a0e57c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF80D.tmp

Filesize
36B

MD5
056fd9e747f45f72c12ed185db65ca8f

SHA1
96b9e5254b0c249a3393008a3fb160b18319532b

SHA256
b46a1b647cd0ac5d5ed27381e1559a8ed6244c5bb7a0d27a41ab1784c40bef85

SHA512
93f9577f9226d4c090034d81735a61a4505da2068e207d5885452637bfcf87f434278e58db281bce79d49e0d941bf3ead9550541b459fad386a7dd60e24c4446

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF80D.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF85E.tmp

Filesize
19B

MD5
adfb82dfa0a66bd7e108a83873cbd4cf

SHA1
caaf90327bb1e7b6731e154351f351bf3a3bb1c4

SHA256
2ba412a038068300e9e4a538ed1d2cfcefa9a1b91f44408785d90a5d838a9228

SHA512
103f484f3497eaf8cc231f09a5c565ba524d5af523970272d9a853ede106fc176f524bb6aeb8f7f59992e7a5651abb55b80134d539bb050aaf780624422d982b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF85E.tmp

Filesize
42B

MD5
0bcee8c5e82ac40f66e8751ce6ce68db

SHA1
691dac6d13305f37d0131b4f9fbea4056464bdc3

SHA256
5321dbf97f475fe82925e543c2b69a42e13e957b56e1f0383e752cef75461df1

SHA512
a105f320202bddd4b0b41e73c4dca1f7fbc07c48a58f1fb9d5b31b9078715f47f665f963be5a81f322b9101bde7100e8a03bff01d29085b8acbe9f894f84ddc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF85E.tmp

Filesize
59B

MD5
a95db921a0fe57e6aefc41a5c0ffc732

SHA1
cd717fa5761f8d489d5578dd9f1b8e2b60ed7b72

SHA256
b03db7bd6621619695e753f43ae1928527e03361af8e4fabcc28592770ac934d

SHA512
004cb8bda6852b10060c9866b12fc0b9127624efde028558e6a4da4482c98fe9df1ff5715eb07053174edd731771cac1130c1325f4b1836678f6386c739bcabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF85E.tmp

Filesize
58B

MD5
f67a3217c82ee42ab847ae31ec8d5791

SHA1
8ee856e52728943f838e10a85ebd2ffd0086d0f9

SHA256
84876c01e6a993ee50e93b2095a67f4fe409d2b37ad23cfcd889840e89ae5cca

SHA512
a2f57de19c3c71836a0028be375daa0d7bcf4dd0d64609a70db6769e2491d8250df1a2f9cd569bc8a30f0bc7782fa4aff13ecb6d2b16bdc6bf2cef6745e86dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF85E.tmp

Filesize
60B

MD5
7e828655d00269fe9d73e99520061456

SHA1
5341e579934758bc6e25ae7b8e4fb559d8fea2ff

SHA256
0d1a557b0e8d85d8d78e905004b1a7037fc12d6ffa801ec4a44262ac28e4bb3c

SHA512
c954c3ed0038f3888cdaf33232dad08370d5204e8054a381381959bcd1bd2125807ad3488ac94d4871db5310dc8f64b721307af1fb2711c22e4860e6d11e8081

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF8AD.tmp

Filesize
16B

MD5
1a069d3d8cca839a3c2f44a0e833d67c

SHA1
2bdc93e3d3aac0914cd4d3d43210bc2b2c7f09cf

SHA256
0c09cbcf0803dc2c44739757d37fe7f33fa193d747df71db3172e68aa0ddb309

SHA512
970ed67a84e4132b0336cd8f7c07c4ab6dc56ce97993b64e4e94a80e76ee7bd4ca04349cd0113df5e04053fbfde9d27c3cb5ab61a9492d584b7febfcaddf53e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF8AD.tmp

Filesize
21B

MD5
536389bbf053b80ce24ccb866d88062d

SHA1
6b73170d96a856ed910dad0c6da873ef30f90396

SHA256
43cb47f4df5b0c44fda22501a37e5ea542847cb48c2e184e10d47dd20900c2e4

SHA512
6d86692b95765720e371e1c026eeaa8adcb4a166c733a172d6a578b67e9cf604c12a907ea927e494463c6102a40262a1f0b4059c62b330110d64f4c5b8208a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF8AD.tmp

Filesize
31B

MD5
5415d7b5f473470da156e7453759be0a

SHA1
58cd7f10d07971346f26146e8fd7103f421e094a

SHA256
761068ce3e6a6df09bf30f006f40a21d1ea84dad04f61906ac807f68eda52947

SHA512
560af3a778d993cdd475f90e9a8df55b7e402291cf1787b73d1d5c3f1c4366975282b3685c51c59b2a3f3bdb2374b94aeda84ceaa1b65973278168546eb239f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF8AD.tmp

Filesize
45B

MD5
31d61c76e79aeb7a47ea32ae17caf8d1

SHA1
e6a1c27f56f4d1b488693006ac7b939019982d54

SHA256
6460a03b8efc3e44cf547b6828f0f80ecdff029fbf0046ec28939b5c64040eab

SHA512
43c1d26a322f5a1fc1c0700e0baf6be63f8d22bc1685231f332e188ee1a074400b838e418676b6e75bf38c6aa622afa01eccc8bef2294029a64e44ee40fe1f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nskF8AD.tmp

Filesize
56B

MD5
53b8f59e083aa7c1b4fe5ed372e3e7e4

SHA1
98782aed5619d59ed36429277fe238727387955e

SHA256
bc97a078a44781b51dc6a3d5c38147c918c8311459c1c3d5d272002c513a68af

SHA512
5ef8041026150b346839577e782a4ace6b2c9b2e3e0cc2ddd9e29dc34dbf598902e1895adf6353aaed6f56743c8d421d1dc898d188dbbaaa5bcca224e7306bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuF84D.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
memory/764-575-0x0000000077DC1000-0x0000000077EE1000-memory.dmp

Filesize
1.1MB

Download
memory/764-576-0x0000000074C25000-0x0000000074C26000-memory.dmp

Filesize
4KB

Download
memory/2580-578-0x0000000077E65000-0x0000000077E66000-memory.dmp

Filesize
4KB

Download
memory/2580-584-0x00000000390F0000-0x0000000039156000-memory.dmp

Filesize
408KB

Download
memory/2580-579-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/2580-580-0x0000000077DC1000-0x0000000077EE1000-memory.dmp

Filesize
1.1MB

Download
memory/2580-581-0x00000000725EE000-0x00000000725EF000-memory.dmp

Filesize
4KB

Download
memory/2580-582-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download
memory/2580-583-0x0000000038B40000-0x00000000390E4000-memory.dmp

Filesize
5.6MB

Download
memory/2580-577-0x0000000077E48000-0x0000000077E49000-memory.dmp

Filesize
4KB

Download
memory/2580-585-0x00000000725E0000-0x0000000072D90000-memory.dmp

Filesize
7.7MB

Download
memory/2580-586-0x00000000395E0000-0x0000000039630000-memory.dmp

Filesize
320KB

Download
memory/2580-587-0x0000000039630000-0x00000000396C2000-memory.dmp

Filesize
584KB

Download
memory/2580-588-0x0000000039710000-0x000000003971A000-memory.dmp

Filesize
40KB

Download
memory/2580-591-0x00000000725EE000-0x00000000725EF000-memory.dmp

Filesize
4KB

Download
memory/2580-593-0x00000000725E0000-0x0000000072D90000-memory.dmp

Filesize
7.7MB

Download