agenttesla | 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aviso legal.exe
Size

821KB
MD5

c7ae7bfda7f71b76c6f3213cfe94529e
SHA1

eebcb778056a8fa9a33255141d70ffac41523caf
SHA256

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4
SHA512

70326a8b9f6c7d99f82e32f0116b23e2b879bbea3235b03e7510a080ffbbeabc2620b09be4406a2a2b28b62c0679a3ee56e39b7398991693c80da0d84fe43fd2
SSDEEP

12288:8bBFvUojlMVWIhWL7Uc8Eh8xn8mWpXS0iNrmY:8bPvUohIWIhko9xnVWpCH

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6994888350:AAFqI19L4KkGo55n9P5XziXuBSULg-rdpEc/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Loads dropped DLL 2 IoCs

Processes:

Aviso legal.exe

pid process

1752 Aviso legal.exe
1752 Aviso legal.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

51 api.ipify.org
52 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

Aviso legal.exe

pid process

1640 Aviso legal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Aviso legal.exeAviso legal.exe

pid process

1752 Aviso legal.exe
1640 Aviso legal.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Aviso legal.exe

description pid process target process

PID 1752 set thread context of 1640 1752 Aviso legal.exe Aviso legal.exe
Drops file in Windows directory 1 IoCs

Processes:

Aviso legal.exe

description ioc process

File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi Aviso legal.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Aviso legal.exe

pid process

1640 Aviso legal.exe
1640 Aviso legal.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Aviso legal.exe

pid process

1752 Aviso legal.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Aviso legal.exe

description pid process

Token: SeDebugPrivilege 1640 Aviso legal.exe

pid	process
1752	Aviso legal.exe
1752	Aviso legal.exe

flow	ioc
51	api.ipify.org
52	api.ipify.org

pid	process
1640	Aviso legal.exe

pid	process
1752	Aviso legal.exe
1640	Aviso legal.exe

description	pid	process	target process
PID 1752 set thread context of 1640	1752	Aviso legal.exe	Aviso legal.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	Aviso legal.exe

pid	process
1640	Aviso legal.exe
1640	Aviso legal.exe

pid	process
1752	Aviso legal.exe

description	pid	process
Token: SeDebugPrivilege	1640	Aviso legal.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Aviso legal.exe

description	pid	process	target process
PID 1752 wrote to memory of 1640	1752	Aviso legal.exe	Aviso legal.exe
PID 1752 wrote to memory of 1640	1752	Aviso legal.exe	Aviso legal.exe
PID 1752 wrote to memory of 1640	1752	Aviso legal.exe	Aviso legal.exe
PID 1752 wrote to memory of 1640	1752	Aviso legal.exe	Aviso legal.exe
PID 1752 wrote to memory of 1640	1752	Aviso legal.exe	Aviso legal.exe

C:\Users\Admin\AppData\Local\Temp\Aviso legal.exe
"C:\Users\Admin\AppData\Local\Temp\Aviso legal.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\Aviso legal.exe
"C:\Users\Admin\AppData\Local\Temp\Aviso legal.exe"
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc3FCA.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi40D8.tmp
Filesize
22B

MD5
38f296e431f9e889c855110f746a1a1f

SHA1
a1f2212648b7d681e10a295ca270ec6ef9c7cb2a

SHA256
89870b6b02e2247d1e10942aceede7bf4adeb820bae945b77d0e2c5f5669e514

SHA512
a074bd4debd9aa11fc50c3ab1cd5b1aaf365931d790600818ea51a58bfca6ea17feb872a1a11dfd8542cd5e1798bdf171e4305e81e4a409a0253db31c84b91e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi40D8.tmp
Filesize
23B

MD5
742d3f392842fd0a5ebecea567c2af34

SHA1
b680bc716a2b53ef6af5edcbf222e6ac2606e1e8

SHA256
c7c952a7580d506f694240eb56e705a182561523c14116ab5aab1c2c87f886bf

SHA512
1642176efc91de80dd89412d982f8c9b1b53a0c96067fdbb70cc04a94c0d37d18caee0bdfab9666930af4e50ad37fdb5335e58c210b67fa59420044d4130aedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi40D8.tmp
Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3F8A.tmp
Filesize
59B

MD5
42d9107b0a7dcefc04b2f720704232c6

SHA1
c1d191f3c1f96b4d587f76a5335bd52a53521748

SHA256
5745e24f1d2217560ffd59274adb500eb2b350a3fcc86cda4e6181fbe4f96ece

SHA512
9b2d770cccc6966625fc63e6c8eb4410a35d656710494851ab4f5f6e94427819b1197370b54be88ad1f4fed76fe7a005e03314a87e69d6876940c8c0eacc5904

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3F8A.tmp
Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3F8A.tmp
Filesize
34B

MD5
44faec7c0702b7ef4cda5820a608da0a

SHA1
10313d20436f6968228a07ad4dfad29f37e6532d

SHA256
c9eb8d8cea8dd215bb20f4674c6b4b3ea865cc9390eb982c501af89142dfd95d

SHA512
dd2bf84c8609abd2f9acc8f45ead13f65f2f804cc2951774b857c0a86616d2a4656a88af4d8277e71bb3bf34afd065ed4dd62577f215f8e4b2f6683967db3a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr3F8A.tmp
Filesize
55B

MD5
2598d3e10bec5798f73f49de505a8514

SHA1
4431b20a112e277250649a917f846a6627870a60

SHA256
08643cfe1a514214ae4175809b7eadbc0bff209e07adf091e91748dccf9ca874

SHA512
83687d6fb3238184b92f04cc70e54ede282d56e34f67781db6c4dfd9529cab30ba15d9ca3059b68f9d82eb87a8d6432e80ba0779d1438c1df861b0bb30905f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3FDB.tmp
Filesize
13B

MD5
7a02f5fcc4fa926f656690c64b909ab6

SHA1
b92430a7da87fac12ae7ba0aea3cc4373a91b2ce

SHA256
4c9cf56a764d54f52d17f4d6a99962dee20b5fe54888357ea9532bb8c54869c9

SHA512
1f95dbfdda145dd50b2c9013fb165cb84eb87879442c30b92106923aaffd755358efb602640f461d81a300a06a905ba38a14eb10fa854105c577c0ce0239e70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3FDB.tmp
Filesize
21B

MD5
0521eadb06f132deee2ee228f5727dff

SHA1
9e0937d6e29af1825d50cdca0d79a6daaa9892af

SHA256
eab17e5beb38bc1247e1ead36f0e79f33d5270762274ed3448466a4ca8c73781

SHA512
2ed2ad97d29cdb5e63095ea933f582bda96190a8b7ac47772b68240a338d4bb8b22301f537c5391a2b8e981cb4f4d8f3de1958634e44a78d1f4946680b669fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3FDB.tmp
Filesize
22B

MD5
b047816b08c4d8bfc15d92a76b02f032

SHA1
524d75ebcb25c312f94331dfe9d912d64bed2cdd

SHA256
b1cf0c961cc0706922ed4e40300fbde987d521b47a778d61ad809684b5a16a35

SHA512
d808dd3603318dd503e81dc25be9f03f7623dc2dc812b6955992bcb079071542e655fad2a45343a0a453a97b044f820b090f4cbc6015b6f4b988106bc6aeb757

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3FDB.tmp
Filesize
48B

MD5
040cc34b899dd5230d5113b5156ec5d4

SHA1
60a49c8b3e3f33b38c1780e8826e50d9672c5bcf

SHA256
454a97bbcd88c00fd8617e38fec2ebc855a608adbb751ad5ce4355f6bd171c32

SHA512
e6d441445f20c73e6e23203323dd5ff68ac2a74767fa69aac7c2c1b05e7bd981cf461b66c9d516dc53b4bbc32117c12e103187cfca891846b9d42ee2aa2c423d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3FDB.tmp
Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss402B.tmp
Filesize
52B

MD5
3754a9bac29a47a3a29abfa6cdf1ed45

SHA1
74bec62c6ee03c318d269dda97f4acc850994145

SHA256
1cdabf4bdb4450a9ee6f0a10208a898ae9e5a28d8f615cb22c6358846b91215a

SHA512
521bc3b31f6e5e8585ce59839e6f6cd3f2648445ffda0c9ed7960038c8b7822f50eaa8156c1ed0cd2dda0b14c326a13321338fc9fba63fba97532218da3cb898

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss402B.tmp
Filesize
56B

MD5
c599d20101d8532a39fefbec3a4162a9

SHA1
6215d1abf9002230448221e1ebdcb2916df29cb3

SHA256
db2d57c0d52d8989de271b0b5440e043c7c93b4f58092de80a1c1e569f5327b2

SHA512
df32094a64597c11d96b2844ea097c960cf39901508dcdf9d0892e2879706d2b6a178d1f798a1ba22613091c79b11ba468b21ad04f7856c8be3cfd517330df93

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3FFB.tmp
Filesize
6B

MD5
50484c19f1afdaf3841a0d821ed393d2

SHA1
c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b

SHA256
6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c

SHA512
d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3FFB.tmp
Filesize
33B

MD5
510d60e4ff06b382e06ae658dc19ab83

SHA1
04e0d66654b6da4c654747efb5321670e3345bd5

SHA256
789f77f31e83a37bbaefa8baf52a348e981173202f584c176c95b5341c7c3ec6

SHA512
d4b8bfd1491fd01a38c9ad7ece99a076b7a7276e18a3eb05d20770c5bc66a788d78e706a3c7520a5cde34e7705a193ae49c997daadb1ba1ca41d34bd75c325ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3FFB.tmp
Filesize
60B

MD5
2d45b071bce5847e12b6308c981e1ab7

SHA1
5bc8e983895acd8ed0d5bb4fc48355cf5871ed2c

SHA256
3e9039677f7626a652276f60ecb67b20cd004050af6d7cec32d237591254cb81

SHA512
e838c8c079a8ca453eaa5509df7fe8340329afbf6e6205938ebcac23a98514b7465e8ab7cc9e1be1af10423ab87c8f1797013b58dffcc3d29a35a792d8f05ebc

Download Submit
memory/1640-580-0x0000000076E91000-0x0000000076FB1000-memory.dmp

Filesize
1.1MB

Download
memory/1640-585-0x00000000716B0000-0x0000000071E60000-memory.dmp

Filesize
7.7MB

Download
memory/1640-577-0x0000000076F18000-0x0000000076F19000-memory.dmp

Filesize
4KB

Download
memory/1640-578-0x0000000076F35000-0x0000000076F36000-memory.dmp

Filesize
4KB

Download
memory/1640-593-0x00000000716B0000-0x0000000071E60000-memory.dmp

Filesize
7.7MB

Download
memory/1640-579-0x00000000004C0000-0x0000000001714000-memory.dmp

Filesize
18.3MB

Download
memory/1640-581-0x00000000716BE000-0x00000000716BF000-memory.dmp

Filesize
4KB

Download
memory/1640-582-0x00000000004C0000-0x0000000000502000-memory.dmp

Filesize
264KB

Download
memory/1640-583-0x0000000038250000-0x00000000387F4000-memory.dmp

Filesize
5.6MB

Download
memory/1640-584-0x00000000381B0000-0x0000000038216000-memory.dmp

Filesize
408KB

Download
memory/1640-591-0x00000000716BE000-0x00000000716BF000-memory.dmp

Filesize
4KB

Download
memory/1640-586-0x0000000039200000-0x0000000039250000-memory.dmp

Filesize
320KB

Download
memory/1640-587-0x0000000039250000-0x00000000392E2000-memory.dmp

Filesize
584KB

Download
memory/1640-588-0x0000000039320000-0x000000003932A000-memory.dmp

Filesize
40KB

Download
memory/1752-576-0x0000000073CF5000-0x0000000073CF6000-memory.dmp

Filesize
4KB

Download
memory/1752-575-0x0000000076E91000-0x0000000076FB1000-memory.dmp

Filesize
1.1MB

Download