agenttesla | c26d121b096af68fc785a4e7fbd821c0c63a64abd2a64c9abf237fe98d0ddf42

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSK203.exe
Size

495KB
MD5

672127d627b0d1ffdc8f4f6a7f6a4697
SHA1

965c08f135e270201ca61122955104c0de39ad9f
SHA256

c26d121b096af68fc785a4e7fbd821c0c63a64abd2a64c9abf237fe98d0ddf42
SHA512

f3e6c7837c767944d7e14cac75e5844fa217cfdc3d6dcae575a7d0ad2740617cce9e53e6b28f947114708361570972150737c9c1e3663b5b3ee9fd55a2d6a746
SSDEEP

12288:Pbm37Owct5ERd1ZRad1I5eA2bZxeyCNNrmj:Pbms5EP1CAsZxse

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6859247669:AAER1Rty_3TqZr1VmGGzXWMbtAZFtnPCWCU/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Loads dropped DLL 2 IoCs

Processes:

MSK203.exe

pid process

2396 MSK203.exe
2396 MSK203.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

38 api.ipify.org
39 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

MSK203.exe

pid process

1628 MSK203.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

MSK203.exeMSK203.exe

pid process

2396 MSK203.exe
1628 MSK203.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSK203.exe

description pid process target process

PID 2396 set thread context of 1628 2396 MSK203.exe MSK203.exe
Drops file in Windows directory 1 IoCs

Processes:

MSK203.exe

description ioc process

File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi MSK203.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSK203.exe

pid process

1628 MSK203.exe
1628 MSK203.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MSK203.exe

pid process

2396 MSK203.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSK203.exe

description pid process

Token: SeDebugPrivilege 1628 MSK203.exe

pid	process
2396	MSK203.exe
2396	MSK203.exe

flow	ioc
38	api.ipify.org
39	api.ipify.org

pid	process
1628	MSK203.exe

pid	process
2396	MSK203.exe
1628	MSK203.exe

description	pid	process	target process
PID 2396 set thread context of 1628	2396	MSK203.exe	MSK203.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	MSK203.exe

pid	process
1628	MSK203.exe
1628	MSK203.exe

pid	process
2396	MSK203.exe

description	pid	process
Token: SeDebugPrivilege	1628	MSK203.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSK203.exe

description	pid	process	target process
PID 2396 wrote to memory of 1628	2396	MSK203.exe	MSK203.exe
PID 2396 wrote to memory of 1628	2396	MSK203.exe	MSK203.exe
PID 2396 wrote to memory of 1628	2396	MSK203.exe	MSK203.exe
PID 2396 wrote to memory of 1628	2396	MSK203.exe	MSK203.exe
PID 2396 wrote to memory of 1628	2396	MSK203.exe	MSK203.exe

C:\Users\Admin\AppData\Local\Temp\MSK203.exe
"C:\Users\Admin\AppData\Local\Temp\MSK203.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\MSK203.exe
"C:\Users\Admin\AppData\Local\Temp\MSK203.exe"
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd353D.tmp

Filesize
17B

MD5
26b5d572c05bd48008d83ec69a9fe7d8

SHA1
f030b576e69f6071fffee62f3d4447a4ae004812

SHA256
54dc16ada6e12dd1bb2ade6f6c3b9d0e51ebc00568d8022e19cd542620ca8752

SHA512
1a78242b3184d3316b53c8e329c2878c2eefb821aff0363b620ed906e7fa745375160015e9c6639a616a5767be6ba0829faf0332404bec85f412720cdb7a6f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd353D.tmp

Filesize
26B

MD5
b42b894b52848a0731561b7d91665a86

SHA1
6c849620fa8de81e3ae792763ee16f8557422243

SHA256
47c3200448acdbbc900646793f4e4bee95b3967eb7b2c1f5dfb5ced4277ba5fb

SHA512
96b670288335d02c51606f39b3b8007780d34405ee7f2ef0ff977af15cd9031a9fa06383bbea2fffce915c34852ec698f3f3d1a18c64a0fdcfee97c09e70a49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd353D.tmp

Filesize
60B

MD5
6905490802a6c440fab7bc3299682016

SHA1
7212e3db4f3387c8ff2daee9a94067db11a218be

SHA256
0fc3d8084bd0470747f5e0ecb10127bbf64b1b7618ab5a819db38e4b839d3451

SHA512
fcf7b1927605f76bd61d0f5c467b040f210d37ae99477f1a1984cc84037c2b7b461c668e1ba993dcb4e9393c2c7a16ac2b42ba2e97d4e18121ba18d800a04a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi350C.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn34DC.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn34DC.tmp

Filesize
15B

MD5
cf7be2840455491f249648c44a1dc759

SHA1
9863c7f04f9d674365fe23f257ba43447f985e8e

SHA256
769c7c2ec9413a771a2f497862194dfb0200452f3a20f5e1f77ad0b6ae535697

SHA512
83984674c9e337bda5ac88c3b2d0e426fd9051e1585b95ea99b3c569ace50900f811e664da9cf426f080837e2b48a5709003b7e5d25382a1ad90026b40777abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn34DC.tmp

Filesize
16B

MD5
433fcfa8e075cbbb3370cb2f6c4658da

SHA1
c7926411bd50f5556bfbea60e7d81931e1aad868

SHA256
ccaabed14663822955f3eed5f5ebac067cbb8c0ff9734a67d30fb94a14826237

SHA512
1306f8e4430ed4e981b775409e14d7f927aa630c2bf89b42949fd9ba11b6aceaba61d2bebc925ebc4a7fb4ac2f9add8677f2f579b591639c0b5950fa68f64ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn34DC.tmp

Filesize
22B

MD5
7b381311a78901489326c8a317ddf8cd

SHA1
37d010f4fb37e77310effc7625dadbbbb36e8fe4

SHA256
59813bc6f04b4d5a16bd89d01602f4308759a60a579022a6bd209c1c0e8b463b

SHA512
626e1a6b65a7909b365f1b8623d9589889ac92f118f9c56d379af6e66e689075a70a82f76a790512203840506d8400c17f8afbd8a60540c14042c35e622a76e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn34DC.tmp

Filesize
39B

MD5
763ec4bcf1080106283ac75cc79cfdc5

SHA1
e916ad8ee0d278848350e957be6e99f8916c9f0e

SHA256
e9f76c3dcf61068c71c8748639c37793963e1929aca11eed3c2caed692bd17ff

SHA512
52273017ba7559aee2f73498b1d277517d2c163ab9eb6891a838664dd4b6ce3a576ae05116deecf502e8494522ce31209dffd2ab68462a75fb841592c83381d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn34DC.tmp

Filesize
50B

MD5
d4e73c2e024084f8a99a4d7f7b87c125

SHA1
cd36a406008d290ca754788594cf3d8eeba58169

SHA256
dbcd27d2bc601f3f5e3eb88dd23dece5d924d6840f6ec9f6004d0f79ad260f20

SHA512
7f7c87fc47e1f0dec6a83b366c8c71bc10e0664a786f80875e1878070be556adb766d4ab1069e47b592949a35141c0079b4b1f78787279115a3e94b91ada15ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn34DC.tmp

Filesize
53B

MD5
6601def372fd604346cc14113dbe6c2f

SHA1
55b5e2406ef28e7c45a60acc6f90795cc088493d

SHA256
f4bf549b30bb96f31c7aec31e319438324daac5f7483e906beadb08ce285bb0c

SHA512
4eae5d296860b66377467aea0e6b6077f2bd993c151c29e2d1428c1d262c49ab4f8ef91cc6a7857f9054a1c86c59f08b8d9168754f5e66f021c2d4a05fffb451

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst35EB.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy351D.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy351D.tmp

Filesize
45B

MD5
34d32f9b446e46883ec3157794403748

SHA1
e797e81a28e395ea751871b21e638e43d62d0f61

SHA256
a66d886953526d5601da515e1aa53a3f8cbc829aedd557cdf4d0f9573793486e

SHA512
48b0f49ca3604f5a21cb2b850ac19771a17e0fa03cf0b3d6e616e330f136c71dcc623ac36b5b801c4fda203327290b8e3f5ec01a0ea546a87c2ae89a88b74ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy356D.tmp

Filesize
56B

MD5
2c77bbd52333e4144ba070082eac42d6

SHA1
d5570ca72f198bd75e1f0d241f0dd69986877ea4

SHA256
54695e5022b16a8b57b4995eabb2d2b2212e0f3fc6ddad15cb2bbc5798fa3c04

SHA512
c800b128aee9e19cfa614be129deed3a440263ff5b58d801e4929ceebf5a930eba8efe948c70e163294a4dabe993a6dcc24f3ca3cef859877da852919dce4162

Download Submit
memory/1628-584-0x0000000038080000-0x0000000038624000-memory.dmp

Filesize
5.6MB

Download
memory/1628-588-0x0000000039010000-0x00000000390AC000-memory.dmp

Filesize
624KB

Download
memory/1628-577-0x0000000077DB8000-0x0000000077DB9000-memory.dmp

Filesize
4KB

Download
memory/1628-579-0x0000000077DD5000-0x0000000077DD6000-memory.dmp

Filesize
4KB

Download
memory/1628-578-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1628-581-0x0000000077D31000-0x0000000077E51000-memory.dmp

Filesize
1.1MB

Download
memory/1628-580-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/1628-582-0x00000000725EE000-0x00000000725EF000-memory.dmp

Filesize
4KB

Download
memory/1628-583-0x0000000000470000-0x00000000004B4000-memory.dmp

Filesize
272KB

Download
memory/1628-594-0x00000000725E0000-0x0000000072D90000-memory.dmp

Filesize
7.7MB

Download
memory/1628-585-0x0000000037F70000-0x0000000037FD6000-memory.dmp

Filesize
408KB

Download
memory/1628-586-0x00000000725E0000-0x0000000072D90000-memory.dmp

Filesize
7.7MB

Download
memory/1628-587-0x0000000038FB0000-0x0000000039000000-memory.dmp

Filesize
320KB

Download
memory/1628-593-0x00000000725EE000-0x00000000725EF000-memory.dmp

Filesize
4KB

Download
memory/1628-589-0x00000000390B0000-0x0000000039142000-memory.dmp

Filesize
584KB

Download
memory/1628-590-0x00000000391A0000-0x00000000391AA000-memory.dmp

Filesize
40KB

Download
memory/2396-576-0x0000000074B95000-0x0000000074B96000-memory.dmp

Filesize
4KB

Download
memory/2396-575-0x0000000077D31000-0x0000000077E51000-memory.dmp

Filesize
1.1MB

Download