agenttesla | c26d121b096af68fc785a4e7fbd821c0c63a64abd2a64c9abf237fe98d0ddf42

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSK203.exe
Size

495KB
MD5

672127d627b0d1ffdc8f4f6a7f6a4697
SHA1

965c08f135e270201ca61122955104c0de39ad9f
SHA256

c26d121b096af68fc785a4e7fbd821c0c63a64abd2a64c9abf237fe98d0ddf42
SHA512

f3e6c7837c767944d7e14cac75e5844fa217cfdc3d6dcae575a7d0ad2740617cce9e53e6b28f947114708361570972150737c9c1e3663b5b3ee9fd55a2d6a746
SSDEEP

12288:Pbm37Owct5ERd1ZRad1I5eA2bZxeyCNNrmj:Pbms5EP1CAsZxse

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6859247669:AAER1Rty_3TqZr1VmGGzXWMbtAZFtnPCWCU/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Loads dropped DLL 2 IoCs

Processes:

MSK203.exe

pid process

2320 MSK203.exe
2320 MSK203.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

48 api.ipify.org
49 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

MSK203.exe

pid process

2692 MSK203.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

MSK203.exeMSK203.exe

pid process

2320 MSK203.exe
2692 MSK203.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSK203.exe

description pid process target process

PID 2320 set thread context of 2692 2320 MSK203.exe MSK203.exe
Drops file in Windows directory 1 IoCs

Processes:

MSK203.exe

description ioc process

File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi MSK203.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

MSK203.exe

pid process

2692 MSK203.exe
2692 MSK203.exe
2692 MSK203.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MSK203.exe

pid process

2320 MSK203.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSK203.exe

description pid process

Token: SeDebugPrivilege 2692 MSK203.exe

pid	process
2320	MSK203.exe
2320	MSK203.exe

flow	ioc
48	api.ipify.org
49	api.ipify.org

pid	process
2692	MSK203.exe

pid	process
2320	MSK203.exe
2692	MSK203.exe

description	pid	process	target process
PID 2320 set thread context of 2692	2320	MSK203.exe	MSK203.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	MSK203.exe

pid	process
2692	MSK203.exe
2692	MSK203.exe
2692	MSK203.exe

pid	process
2320	MSK203.exe

description	pid	process
Token: SeDebugPrivilege	2692	MSK203.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSK203.exe

description	pid	process	target process
PID 2320 wrote to memory of 2692	2320	MSK203.exe	MSK203.exe
PID 2320 wrote to memory of 2692	2320	MSK203.exe	MSK203.exe
PID 2320 wrote to memory of 2692	2320	MSK203.exe	MSK203.exe
PID 2320 wrote to memory of 2692	2320	MSK203.exe	MSK203.exe
PID 2320 wrote to memory of 2692	2320	MSK203.exe	MSK203.exe

C:\Users\Admin\AppData\Local\Temp\MSK203.exe
"C:\Users\Admin\AppData\Local\Temp\MSK203.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\MSK203.exe
"C:\Users\Admin\AppData\Local\Temp\MSK203.exe"
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa126F.tmp

Filesize
24B

MD5
942a0add5de9c46c9874a72eba3ce9f6

SHA1
c51748200f0e8ff506ca5d9878573146be220491

SHA256
3d42f06595afec189d9167ecf58d0da6c8294c155e9fc364d8fe8bdcdf25bc89

SHA512
1813eba450ea8bb385b0da7ce4b54a196df7d8b8fb8e79ee9a8161aad31ba7e9e082a337e08c5f09aa19d48a19c1d3c20596893017f350dec28bab36b1366800

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa126F.tmp

Filesize
35B

MD5
cda41b081fb81fc638d5c91fbbc4351b

SHA1
c97203d9a865519bf834dcb125746166c88c38c9

SHA256
1fec463f861eee80e0b258e70d351ebb0c4545c2b43650f7529b376ca0186c63

SHA512
fadf4e91ec23e7604f63f10aa92e50b9b9d611162cf981b6beed647ff35096ea320df3c19d4d5bfc0a7772f25497317092ebfda5d92c455b89bc5db91dfbba3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa126F.tmp

Filesize
56B

MD5
2c77bbd52333e4144ba070082eac42d6

SHA1
d5570ca72f198bd75e1f0d241f0dd69986877ea4

SHA256
54695e5022b16a8b57b4995eabb2d2b2212e0f3fc6ddad15cb2bbc5798fa3c04

SHA512
c800b128aee9e19cfa614be129deed3a440263ff5b58d801e4929ceebf5a930eba8efe948c70e163294a4dabe993a6dcc24f3ca3cef859877da852919dce4162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg13C8.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg13C8.tmp

Filesize
24B

MD5
effa3542d2defff85aeeb1a54276c6bb

SHA1
5d10bff92a69d54f065550910baed5b55febaa80

SHA256
10c81101c2450f3974b06e0e2ec7f84c5f1fcce2ebd790baa07860053bca5c04

SHA512
ea0ad475d212d5b6aa756cd8eca9b8317349727b4780e204394722a6665958c1eab7528b2f0d0ce0ca044c4ee5e03e29b86696acc64dd60ffbc4bd643f794600

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj1038.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk1125.tmp

Filesize
23B

MD5
8c367f7037d83ec5fc0be4bcd16dba9d

SHA1
0efc8b29b482afae9aaceef0d80a138ab9b527a9

SHA256
6f470f6196119f505cd2d1b132c50c06fd6522bbd6ffc95b992212093221b637

SHA512
356e4ee6b5572b174084957b61e2aaea850486e2c087b87019bcb7565013d86aadffdc1f3e70ec4c77be108519ce312a2db1896584a738d631c190c03f5fec56

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk1125.tmp

Filesize
35B

MD5
baf2a3b161f59f08e4ac15360a33f91e

SHA1
7720d461221d6947de0c8295c9a350de7793e0e2

SHA256
8c876ae7916572fa02c0c9841d47358f549363bda4f2879944e44c250f29e431

SHA512
b9ff3c4e06b93e7896a44bbcc4f228e6bed9afc14d4996bb5953851157773882d576826df5d1b9b2000356d69c3a43a61186f88027c4c9914e7aca8a93aa357f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk1125.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu11B2.tmp

Filesize
12B

MD5
558ec0e73952eb4a395e7f17eb69221e

SHA1
d1cb97bfc8d9fad9eab7d19e685029b5f7084709

SHA256
4d8a1cb0f83d824cec9e15e4d45605ed2cc92ae959602d0cc8873b0125d4cd74

SHA512
698fb90fadb2b22ce78f874dac04c2f0bf72340d39f135e7736afdb9a9b28c9c55a8c6c9f871676134e6d057a90afc2944d1f1e8a117cc0f7a90c8d9b60c5dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu11B2.tmp

Filesize
30B

MD5
69a47761d93d45d9bf170ec16939600c

SHA1
1ec8b556be40db3b506319e3a3db31192958eaad

SHA256
4a16aca549822eee4b91050aab5c8e7eab4e4891e94d822116877eda6059fc9a

SHA512
f58562440497dea06b1ddf8a2cceda2eb9a9e3390d91f061a5a348c25c79923c99c61239e64980289aa7ed570437a7bc43e27da35975c0912cc8296108b7765d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu11B2.tmp

Filesize
36B

MD5
b6cb37310ace50d1ec738882c29e5687

SHA1
d61bccffd6476c4d1b48058216900228bb06a43a

SHA256
b670162ece3dd4b16226e0ae3697012a39690c47d06647e6f148b4eba5c5f6ed

SHA512
b4dffee6797be2191eba964d98266388c6d40ad177100f27714f170caa195f3ee92973fb7becd6a27cd8820229b9a5ab58efebbed982d331e5bf70c54ed40d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu11B2.tmp

Filesize
56B

MD5
99cc7171768095d186d7ba28942bfdb7

SHA1
644fc0dca771391a4f611aea4f71c5edffd66e09

SHA256
b0d48bf7ad7a788f90f35269df19eb3f019e6983e0bdbd1ee184e88e6ec506d3

SHA512
03b69b85dbf6f63c0b2e7d3f4ea4ce2e93e2e67fe40f0e17e747bc725181a0c893440dbd303eece29829f1f93503209d3df5148b133db99d6c3503da0bf6bbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz10E5.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
memory/2320-575-0x0000000076F51000-0x0000000077071000-memory.dmp

Filesize
1.1MB

Download
memory/2320-576-0x0000000073DB5000-0x0000000073DB6000-memory.dmp

Filesize
4KB

Download
memory/2692-577-0x0000000076FD8000-0x0000000076FD9000-memory.dmp

Filesize
4KB

Download
memory/2692-578-0x0000000076FF5000-0x0000000076FF6000-memory.dmp

Filesize
4KB

Download
memory/2692-580-0x0000000076F51000-0x0000000077071000-memory.dmp

Filesize
1.1MB

Download
memory/2692-579-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/2692-581-0x000000007180E000-0x000000007180F000-memory.dmp

Filesize
4KB

Download
memory/2692-582-0x0000000000470000-0x00000000004B4000-memory.dmp

Filesize
272KB

Download
memory/2692-583-0x0000000038010000-0x00000000385B4000-memory.dmp

Filesize
5.6MB

Download
memory/2692-584-0x0000000071800000-0x0000000071FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2692-585-0x0000000037F70000-0x0000000037FD6000-memory.dmp

Filesize
408KB

Download
memory/2692-587-0x0000000038FB0000-0x0000000039000000-memory.dmp

Filesize
320KB

Download
memory/2692-588-0x0000000039210000-0x00000000392AC000-memory.dmp

Filesize
624KB

Download
memory/2692-589-0x00000000392C0000-0x0000000039352000-memory.dmp

Filesize
584KB

Download
memory/2692-590-0x00000000393B0000-0x00000000393BA000-memory.dmp

Filesize
40KB

Download
memory/2692-593-0x000000007180E000-0x000000007180F000-memory.dmp

Filesize
4KB

Download
memory/2692-594-0x0000000071800000-0x0000000071FB0000-memory.dmp

Filesize
7.7MB

Download