agenttesla | 5e921611411a1f372b02c4655a25f021c666b897e6e4f0ff59ef8a8877792c1f

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSK203.exe
Size

495KB
MD5

672127d627b0d1ffdc8f4f6a7f6a4697
SHA1

965c08f135e270201ca61122955104c0de39ad9f
SHA256

c26d121b096af68fc785a4e7fbd821c0c63a64abd2a64c9abf237fe98d0ddf42
SHA512

f3e6c7837c767944d7e14cac75e5844fa217cfdc3d6dcae575a7d0ad2740617cce9e53e6b28f947114708361570972150737c9c1e3663b5b3ee9fd55a2d6a746
SSDEEP

12288:Pbm37Owct5ERd1ZRad1I5eA2bZxeyCNNrmj:Pbms5EP1CAsZxse

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6859247669:AAER1Rty_3TqZr1VmGGzXWMbtAZFtnPCWCU/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Loads dropped DLL 2 IoCs

Processes:

MSK203.exe

pid process

3952 MSK203.exe
3952 MSK203.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

34 api.ipify.org
35 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

MSK203.exe

pid process

4336 MSK203.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

MSK203.exeMSK203.exe

pid process

3952 MSK203.exe
4336 MSK203.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSK203.exe

description pid process target process

PID 3952 set thread context of 4336 3952 MSK203.exe MSK203.exe
Drops file in Windows directory 1 IoCs

Processes:

MSK203.exe

description ioc process

File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi MSK203.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSK203.exe

pid process

4336 MSK203.exe
4336 MSK203.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MSK203.exe

pid process

3952 MSK203.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSK203.exe

description pid process

Token: SeDebugPrivilege 4336 MSK203.exe

pid	process
3952	MSK203.exe
3952	MSK203.exe

flow	ioc
34	api.ipify.org
35	api.ipify.org

pid	process
4336	MSK203.exe

pid	process
3952	MSK203.exe
4336	MSK203.exe

description	pid	process	target process
PID 3952 set thread context of 4336	3952	MSK203.exe	MSK203.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	MSK203.exe

pid	process
4336	MSK203.exe
4336	MSK203.exe

pid	process
3952	MSK203.exe

description	pid	process
Token: SeDebugPrivilege	4336	MSK203.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSK203.exe

description	pid	process	target process
PID 3952 wrote to memory of 4336	3952	MSK203.exe	MSK203.exe
PID 3952 wrote to memory of 4336	3952	MSK203.exe	MSK203.exe
PID 3952 wrote to memory of 4336	3952	MSK203.exe	MSK203.exe
PID 3952 wrote to memory of 4336	3952	MSK203.exe	MSK203.exe
PID 3952 wrote to memory of 4336	3952	MSK203.exe	MSK203.exe

C:\Users\Admin\AppData\Local\Temp\MSK203.exe
"C:\Users\Admin\AppData\Local\Temp\MSK203.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Local\Temp\MSK203.exe
"C:\Users\Admin\AppData\Local\Temp\MSK203.exe"
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc3368.tmp
Filesize
25B

MD5
cc98cdbdb6e4571f9dbef3d7ef0cecb6

SHA1
0c6c945dacb7dc9269bb8659e61b6bd44e03b5f4

SHA256
fdd17f70c2c855ed3b81bf41d2dbff3a0d85a7f7b019f04c569f897188e0d3b3

SHA512
83a41e73d62f77faf633e3fc5fb4f0ee4984881dc7ed5bbfcd73be815c89a606349cb0adf5de1552cfd0ca0ff3d7bd9c2332658586e582158e53777e2fcfba4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3368.tmp
Filesize
40B

MD5
7555d8867576c283634598e663953f15

SHA1
d148b48ee18f2fd44ad664204c87654a147b1437

SHA256
7135275acb09accf3ebc4449f7d0beb1bd2e4c3cd7e6cb20ac6c5a27927f0e0d

SHA512
3dcdb430401f1a1e83db7c96047bceb11bb4b9c007a699e23d27f459a5e516c5dc6ad8c846e98a158ec461115f5c5175279d872d4dc908c79619e7f30004980e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3368.tmp
Filesize
41B

MD5
01aeb309a102457b7557b79d712fc8dc

SHA1
97843bf5232d55e84c9d9680870ce3833855794d

SHA256
4ae01a0ce57ab403950de39994cbbe27c1079182dd79ad464ebda843cfc9a22e

SHA512
87bcceb5ebbd9b701f3600eeecef7fc21f878b23eed7c0147e201f09b0c485e51c5a5326c371083fa4b95602fc9682ad129f5962a7b27c13d86501c0569852e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3368.tmp
Filesize
37B

MD5
33aa92debcc1f60e7c5854cc89fab1fa

SHA1
dfdb911fe590e83d018b61eb13c3d804a0e61a79

SHA256
11ed97cbf6f46b9d72582a923af9ce569b7546fcc9357e317566d0b4bf0bedd1

SHA512
24c749d4f77a21d79ef28986b5e906d51b2288c5c42216a3f74a484f8949cc26f1e221a8e29e358c3783f28215bde6dd196f228089b38ea72f179ef52c0f2845

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3368.tmp
Filesize
42B

MD5
abaf5afae49de231f371269a34069e0f

SHA1
72bc1aa61539a5f5693f2f058508010b9ef5ba80

SHA256
4d162c7221cd8f79fcd74428283af6fffdb4e5d50b1bf352483b1dac5e866204

SHA512
f36d7195d3b93ee7ce3e986c35182a86a48b74b5ce504c268ab21662a5c05ba270836a0cd3ad78b42f24e5483323f84bb8528dfa3291715cc2c73de7397bb091

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3368.tmp
Filesize
60B

MD5
6905490802a6c440fab7bc3299682016

SHA1
7212e3db4f3387c8ff2daee9a94067db11a218be

SHA256
0fc3d8084bd0470747f5e0ecb10127bbf64b1b7618ab5a819db38e4b839d3451

SHA512
fcf7b1927605f76bd61d0f5c467b040f210d37ae99477f1a1984cc84037c2b7b461c668e1ba993dcb4e9393c2c7a16ac2b42ba2e97d4e18121ba18d800a04a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3454.tmp
Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh3338.tmp
Filesize
48B

MD5
040cc34b899dd5230d5113b5156ec5d4

SHA1
60a49c8b3e3f33b38c1780e8826e50d9672c5bcf

SHA256
454a97bbcd88c00fd8617e38fec2ebc855a608adbb751ad5ce4355f6bd171c32

SHA512
e6d441445f20c73e6e23203323dd5ff68ac2a74767fa69aac7c2c1b05e7bd981cf461b66c9d516dc53b4bbc32117c12e103187cfca891846b9d42ee2aa2c423d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh3338.tmp
Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh3388.tmp
Filesize
22B

MD5
7b892b8ac25286dbfdf8fc8817a3e958

SHA1
240e4a574136f73209bdcc9010d20ce1be4ff364

SHA256
dbb3bd7c79c96328be8974b16eaa4cdd93c9bd923c968a36d45474b9f1f93cff

SHA512
a0d65c29e0256655382aa18fcd192b357c02d4c2b7047377e7fc45815c8b3961fbcb90c334a32255a53574751679f0030602147efa43d02633ce09e7b3e8f038

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh3388.tmp
Filesize
24B

MD5
942a0add5de9c46c9874a72eba3ce9f6

SHA1
c51748200f0e8ff506ca5d9878573146be220491

SHA256
3d42f06595afec189d9167ecf58d0da6c8294c155e9fc364d8fe8bdcdf25bc89

SHA512
1813eba450ea8bb385b0da7ce4b54a196df7d8b8fb8e79ee9a8161aad31ba7e9e082a337e08c5f09aa19d48a19c1d3c20596893017f350dec28bab36b1366800

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh3388.tmp
Filesize
40B

MD5
b8a4108f6ce58d3dbef6bae0f8ee0308

SHA1
797ff9be6fbf70ce8b083b79c0124ae39dad4268

SHA256
a64dc40d4f6ea80dbf4e252aa2929a9d79dc43c0a0582d8befa46052c9993ab9

SHA512
98c1d283ad88f296266c598674707b78eed4cb9344e18b87c8abe243fa588ca7fa2e16ebd675db24cc0d06f07fc10037a81d660a39cab170419995b9b7945c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh3388.tmp
Filesize
56B

MD5
2c77bbd52333e4144ba070082eac42d6

SHA1
d5570ca72f198bd75e1f0d241f0dd69986877ea4

SHA256
54695e5022b16a8b57b4995eabb2d2b2212e0f3fc6ddad15cb2bbc5798fa3c04

SHA512
c800b128aee9e19cfa614be129deed3a440263ff5b58d801e4929ceebf5a930eba8efe948c70e163294a4dabe993a6dcc24f3ca3cef859877da852919dce4162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3328.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx32F8.tmp
Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
memory/3952-576-0x0000000074BB5000-0x0000000074BB6000-memory.dmp

Filesize
4KB

Download
memory/3952-575-0x0000000077D51000-0x0000000077E71000-memory.dmp

Filesize
1.1MB

Download
memory/4336-585-0x00000000387A0000-0x0000000038806000-memory.dmp

Filesize
408KB

Download
memory/4336-586-0x0000000072600000-0x0000000072DB0000-memory.dmp

Filesize
7.7MB

Download
memory/4336-579-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/4336-581-0x0000000077D51000-0x0000000077E71000-memory.dmp

Filesize
1.1MB

Download
memory/4336-582-0x000000007260E000-0x000000007260F000-memory.dmp

Filesize
4KB

Download
memory/4336-583-0x0000000000470000-0x00000000004B4000-memory.dmp

Filesize
272KB

Download
memory/4336-578-0x0000000077DF5000-0x0000000077DF6000-memory.dmp

Filesize
4KB

Download
memory/4336-577-0x0000000077DD8000-0x0000000077DD9000-memory.dmp

Filesize
4KB

Download
memory/4336-584-0x00000000380F0000-0x0000000038694000-memory.dmp

Filesize
5.6MB

Download
memory/4336-587-0x00000000390F0000-0x0000000039140000-memory.dmp

Filesize
320KB

Download
memory/4336-588-0x0000000039150000-0x00000000391EC000-memory.dmp

Filesize
624KB

Download
memory/4336-589-0x00000000391F0000-0x0000000039282000-memory.dmp

Filesize
584KB

Download
memory/4336-590-0x00000000392E0000-0x00000000392EA000-memory.dmp

Filesize
40KB

Download
memory/4336-593-0x000000007260E000-0x000000007260F000-memory.dmp

Filesize
4KB

Download
memory/4336-594-0x0000000072600000-0x0000000072DB0000-memory.dmp

Filesize
7.7MB

Download