agenttesla | cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b616cc8c02b88cff3a1d36ab29673399.exe
Size

498KB
MD5

b616cc8c02b88cff3a1d36ab29673399
SHA1

34689314dda15bd7e84fb84e4cf09749f548bdd3
SHA256

cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56
SHA512

21ed90d8b55b780c6dfd95e5ff6aab8fcd4818a7d199160532f43630ce4d97ccfc54a5624665c7a811b4c2ee9dba16488343181ce972d1bac3ce5aa8428121a3
SSDEEP

12288:abmJMxaP3/NCDptpDcC69kq6YX/ir+KY+1Nrmz:abm3PNC/6kq6YvirbYP

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.synergyinnovationsgroup.com
Port:
587
Username:
[email protected]
Password:
C@p-Y8BoHc#?
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Loads dropped DLL 2 IoCs

Processes:

b616cc8c02b88cff3a1d36ab29673399.exe

pid process

684 b616cc8c02b88cff3a1d36ab29673399.exe
684 b616cc8c02b88cff3a1d36ab29673399.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

b616cc8c02b88cff3a1d36ab29673399.exe

pid process

4064 b616cc8c02b88cff3a1d36ab29673399.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

b616cc8c02b88cff3a1d36ab29673399.exeb616cc8c02b88cff3a1d36ab29673399.exe

pid process

684 b616cc8c02b88cff3a1d36ab29673399.exe
4064 b616cc8c02b88cff3a1d36ab29673399.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

b616cc8c02b88cff3a1d36ab29673399.exe

description pid process target process

PID 684 set thread context of 4064 684 b616cc8c02b88cff3a1d36ab29673399.exe b616cc8c02b88cff3a1d36ab29673399.exe
Drops file in Windows directory 1 IoCs

Processes:

b616cc8c02b88cff3a1d36ab29673399.exe

description ioc process

File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi b616cc8c02b88cff3a1d36ab29673399.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b616cc8c02b88cff3a1d36ab29673399.exe

pid process

4064 b616cc8c02b88cff3a1d36ab29673399.exe
4064 b616cc8c02b88cff3a1d36ab29673399.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b616cc8c02b88cff3a1d36ab29673399.exe

pid process

684 b616cc8c02b88cff3a1d36ab29673399.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b616cc8c02b88cff3a1d36ab29673399.exe

description pid process

Token: SeDebugPrivilege 4064 b616cc8c02b88cff3a1d36ab29673399.exe

pid	process
684	b616cc8c02b88cff3a1d36ab29673399.exe
684	b616cc8c02b88cff3a1d36ab29673399.exe

pid	process
4064	b616cc8c02b88cff3a1d36ab29673399.exe

pid	process
684	b616cc8c02b88cff3a1d36ab29673399.exe
4064	b616cc8c02b88cff3a1d36ab29673399.exe

description	pid	process	target process
PID 684 set thread context of 4064	684	b616cc8c02b88cff3a1d36ab29673399.exe	b616cc8c02b88cff3a1d36ab29673399.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	b616cc8c02b88cff3a1d36ab29673399.exe

pid	process
4064	b616cc8c02b88cff3a1d36ab29673399.exe
4064	b616cc8c02b88cff3a1d36ab29673399.exe

pid	process
684	b616cc8c02b88cff3a1d36ab29673399.exe

description	pid	process
Token: SeDebugPrivilege	4064	b616cc8c02b88cff3a1d36ab29673399.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

b616cc8c02b88cff3a1d36ab29673399.exe

description	pid	process	target process
PID 684 wrote to memory of 4064	684	b616cc8c02b88cff3a1d36ab29673399.exe	b616cc8c02b88cff3a1d36ab29673399.exe
PID 684 wrote to memory of 4064	684	b616cc8c02b88cff3a1d36ab29673399.exe	b616cc8c02b88cff3a1d36ab29673399.exe
PID 684 wrote to memory of 4064	684	b616cc8c02b88cff3a1d36ab29673399.exe	b616cc8c02b88cff3a1d36ab29673399.exe
PID 684 wrote to memory of 4064	684	b616cc8c02b88cff3a1d36ab29673399.exe	b616cc8c02b88cff3a1d36ab29673399.exe
PID 684 wrote to memory of 4064	684	b616cc8c02b88cff3a1d36ab29673399.exe	b616cc8c02b88cff3a1d36ab29673399.exe

C:\Users\Admin\AppData\Local\Temp\b616cc8c02b88cff3a1d36ab29673399.exe
"C:\Users\Admin\AppData\Local\Temp\b616cc8c02b88cff3a1d36ab29673399.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\b616cc8c02b88cff3a1d36ab29673399.exe
"C:\Users\Admin\AppData\Local\Temp\b616cc8c02b88cff3a1d36ab29673399.exe"
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc344F.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc344F.tmp

Filesize
9B

MD5
2b3884fe02299c565e1c37ee7ef99293

SHA1
d8e2ef2a52083f6df210109fea53860ea227af9c

SHA256
ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

SHA512
aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc344F.tmp

Filesize
38B

MD5
306942073b8a4457561e12735efb9411

SHA1
b1cd498c9febaeb7c2aa4e57c30f118f50eaacb6

SHA256
2f68a110d1297ef0a5752507719512451b5a9f00bf25e1392ad5ad3be968ea34

SHA512
29b4c8dc5a083fde8e809ad3e87b76057116fa9820c15fbddb25913543d93d9475ce07137cd382d6ba9c71741f706bf5be4e13909e231b32164a189fdf95271c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd358D.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss34B0.tmp

Filesize
57B

MD5
d268b2d9835e50abef5ae70c8cb1cdab

SHA1
a3d78dcf73e8f94199958a5163ded87e3a046577

SHA256
6012b69a34e4c08d387a4fc1828894867c26af3a88e01a99e9ecfdefe770d0f1

SHA512
56639fe0f8661361aa57ef2387f7775c6e9c88a011521f6b9f94d83b718093429a6ebed29550a81043ffafb52f02e84291b96bab0ccb02b32a47356c51850fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss34B0.tmp

Filesize
60B

MD5
7e828655d00269fe9d73e99520061456

SHA1
5341e579934758bc6e25ae7b8e4fb559d8fea2ff

SHA256
0d1a557b0e8d85d8d78e905004b1a7037fc12d6ffa801ec4a44262ac28e4bb3c

SHA512
c954c3ed0038f3888cdaf33232dad08370d5204e8054a381381959bcd1bd2125807ad3488ac94d4871db5310dc8f64b721307af1fb2711c22e4860e6d11e8081

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx347F.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3480.tmp

Filesize
13B

MD5
7a02f5fcc4fa926f656690c64b909ab6

SHA1
b92430a7da87fac12ae7ba0aea3cc4373a91b2ce

SHA256
4c9cf56a764d54f52d17f4d6a99962dee20b5fe54888357ea9532bb8c54869c9

SHA512
1f95dbfdda145dd50b2c9013fb165cb84eb87879442c30b92106923aaffd755358efb602640f461d81a300a06a905ba38a14eb10fa854105c577c0ce0239e70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3480.tmp

Filesize
24B

MD5
60f65c2cd21dde8cc4ce815633d832e0

SHA1
c1196320458557d8c4f65ba6810953b1037a822b

SHA256
7f0f042b1879b1b8f04a5e6051e577a1e691ec322789c4d98d52494cfd906ce7

SHA512
301ead9a6620deccb0be51bbe4eb760ca9d48d029cded0c6cdc7115a4353f4d9330f2ca92df2519a78a7d5aa24975ca6fa19c0269cc411026739b3f733f8d8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3480.tmp

Filesize
41B

MD5
088d509592627d226179707a88a1f4ee

SHA1
8c03f8a469d4dc4e7f65da8daa8c0e9cdebbe9f4

SHA256
7938b90dbe50e63bd3bc2b7ae77d43ba7c01c15354ab01f9a0b63ebac56b796d

SHA512
f36c70cbb4dbb09a8081b472ceb712b983a676d5a34dc19ec4d0d95126c4e6b80cdd66640e304eb35445503255c9aac22edf386bf6782151844e8df4e1874d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx3480.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx34D0.tmp

Filesize
6B

MD5
50484c19f1afdaf3841a0d821ed393d2

SHA1
c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b

SHA256
6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c

SHA512
d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx34D0.tmp

Filesize
10B

MD5
9a53fc1d7126c5e7c81bb5c15b15537b

SHA1
e2d13e0fa37de4c98f30c728210d6afafbb2b000

SHA256
a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

SHA512
b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx34D0.tmp

Filesize
15B

MD5
64c34dda0003aa56030f5cef66dd8616

SHA1
8f3f9e66c5b9d35715b3c6d8aa800450f6db95fb

SHA256
a3f3ef6dbcdd25537eb2d093b42fcb85c2e84522ae1aab7bf924dc00eb3ef870

SHA512
0f01df79160393b6e7c6ea2d302bd9c1613a269ca0cb09d300d6c98dbff12e0aa3456e89c16842de77353c32edb4df565ac0709a66dc48375088f8dbba3b277f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx34D0.tmp

Filesize
17B

MD5
88709912d0866bf048ec0c601d091abe

SHA1
c5364abea3ba9bbfb01fa4b0b04547042e0392b9

SHA256
1a5bf931879e4348adaa5a155208f1c1329c3d12c1b51006098190a595a02a9d

SHA512
d188eebf04b71aff02d29feda4f86a2b14f834a8d40234544d736eb369ee261aea7fe4882193067b52d2d2e0847ccbe0858a0c9b7e02efd08f61f07ffaa23678

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx34D0.tmp

Filesize
49B

MD5
720b05e0ec8120106da2c2278cf0ae01

SHA1
b82a491854874f3e80245e55ab229a76bf186aa3

SHA256
8fc97afc91d28332b32fef78aa3088ba107c476733fca567ce6bb04e7eaafd63

SHA512
352877d3c99281bb56f0f17793769b093ef360110222fd7af748740e5c0e05540d37fbf60f74553c359cc6b5a0d271a62a855c2b508d32d2cc125c2217873f20

Download Submit
memory/684-575-0x00000000771E1000-0x0000000077301000-memory.dmp

Filesize
1.1MB

Download
memory/684-577-0x0000000074045000-0x0000000074046000-memory.dmp

Filesize
4KB

Download
memory/684-576-0x00000000771E1000-0x0000000077301000-memory.dmp

Filesize
1.1MB

Download
memory/4064-578-0x0000000077268000-0x0000000077269000-memory.dmp

Filesize
4KB

Download
memory/4064-579-0x0000000077285000-0x0000000077286000-memory.dmp

Filesize
4KB

Download
memory/4064-581-0x00000000771E1000-0x0000000077301000-memory.dmp

Filesize
1.1MB

Download
memory/4064-580-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/4064-582-0x0000000071A0E000-0x0000000071A0F000-memory.dmp

Filesize
4KB

Download
memory/4064-583-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download
memory/4064-584-0x0000000038990000-0x0000000038F34000-memory.dmp

Filesize
5.6MB

Download
memory/4064-585-0x0000000038F40000-0x0000000038FA6000-memory.dmp

Filesize
408KB

Download
memory/4064-586-0x0000000071A00000-0x00000000721B0000-memory.dmp

Filesize
7.7MB

Download
memory/4064-587-0x0000000039360000-0x00000000393B0000-memory.dmp

Filesize
320KB

Download
memory/4064-588-0x00000000393B0000-0x0000000039442000-memory.dmp

Filesize
584KB

Download
memory/4064-589-0x0000000039490000-0x000000003949A000-memory.dmp

Filesize
40KB

Download
memory/4064-592-0x0000000071A0E000-0x0000000071A0F000-memory.dmp

Filesize
4KB

Download
memory/4064-593-0x0000000071A00000-0x00000000721B0000-memory.dmp

Filesize
7.7MB

Download