agenttesla | 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
Size

821KB
MD5

c7ae7bfda7f71b76c6f3213cfe94529e
SHA1

eebcb778056a8fa9a33255141d70ffac41523caf
SHA256

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4
SHA512

70326a8b9f6c7d99f82e32f0116b23e2b879bbea3235b03e7510a080ffbbeabc2620b09be4406a2a2b28b62c0679a3ee56e39b7398991693c80da0d84fe43fd2
SSDEEP

12288:8bBFvUojlMVWIhWL7Uc8Eh8xn8mWpXS0iNrmY:8bPvUohIWIhko9xnVWpCH

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6994888350:AAFqI19L4KkGo55n9P5XziXuBSULg-rdpEc/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs

resource	yara_rule
behavioral2/memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

resource	yara_rule
behavioral2/memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs

resource	yara_rule
behavioral2/memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral2/memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral2/memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral2/memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Loads dropped DLL 2 IoCs

pid	Process
3080	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
3080	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	api.ipify.org
36	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1056	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3080	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
1056	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3080 set thread context of 1056	3080	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe	92

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1056	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
1056	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3080	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 1056	3080	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe	92
PID 3080 wrote to memory of 1056	3080	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe	92
PID 3080 wrote to memory of 1056	3080	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe	92
PID 3080 wrote to memory of 1056	3080	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe	92
PID 3080 wrote to memory of 1056	3080	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe	92

C:\Users\Admin\AppData\Local\Temp\93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
"C:\Users\Admin\AppData\Local\Temp\93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Users\Admin\AppData\Local\Temp\93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
  "C:\Users\Admin\AppData\Local\Temp\93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd35D6.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd35D6.tmp

Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd35D6.tmp

Filesize
20B

MD5
9111ba1d1ceb4b7f775d74730aac363e

SHA1
c0af4968c775735be12419b60b257ed4359cb9b2

SHA256
0883f5bab7d5dafd9efec59b917070f5d051f50b047951d1ea87dab27fef7b91

SHA512
836c5d3941109691f2589e317e10d661978d9fc4af435bde3467159913ff9192d6eab1efe3e50e2048d06ce0c85963efe1ac056e1fd6ff1d33ac05f25beabbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd35D6.tmp

Filesize
64B

MD5
814da453daa6269ca4ed4cd15266b28c

SHA1
82981f8c0d5d3ffccbf06fff867f8c3b1aaa454b

SHA256
791004efaa6a41452708fe5db95097b4681e4f4d386e33b8044088b8f736d743

SHA512
3336dbdf67c28567e9cd6a495e2e7d7e7fca21fccdff35b7c84588237829c32f69be5f733cbc3e3bf1614868a3e9e6000c5ff3116b4cc035723c37ca743cb948

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3626.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3616.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3656.tmp

Filesize
51B

MD5
2dd936eb3d7589ea1ff02761eb026412

SHA1
059f5db3de09440576f5a4331af7b2ef6c6fc468

SHA256
851257ed1df0d3e567cdaefdf63361c1a26e9ebd20b39024e926e94f68181f7e

SHA512
f420b11f4277546d52ddc81c29498052286959dfb033f9f31e3c8d98893ab09778accef2866422d7c8024d4b66e1369adf14bd91544a6fd2376e311e085b2caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3656.tmp

Filesize
60B

MD5
2d45b071bce5847e12b6308c981e1ab7

SHA1
5bc8e983895acd8ed0d5bb4fc48355cf5871ed2c

SHA256
3e9039677f7626a652276f60ecb67b20cd004050af6d7cec32d237591254cb81

SHA512
e838c8c079a8ca453eaa5509df7fe8340329afbf6e6205938ebcac23a98514b7465e8ab7cc9e1be1af10423ab87c8f1797013b58dffcc3d29a35a792d8f05ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy36A5.tmp

Filesize
56B

MD5
c599d20101d8532a39fefbec3a4162a9

SHA1
6215d1abf9002230448221e1ebdcb2916df29cb3

SHA256
db2d57c0d52d8989de271b0b5440e043c7c93b4f58092de80a1c1e569f5327b2

SHA512
df32094a64597c11d96b2844ea097c960cf39901508dcdf9d0892e2879706d2b6a178d1f798a1ba22613091c79b11ba468b21ad04f7856c8be3cfd517330df93

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3742.tmp

Filesize
27B

MD5
4957153fabb445fb18c9ebc9c311f34d

SHA1
d12d7a2c8a4b61bae681b19b9a07a06a0d0d4632

SHA256
fbaa92d310219f370662dbcb3d8023c007b4786d0bf979228690d4df2cf89c91

SHA512
4c0ee80abbe5748e3b794982585dc819c57f59429ef47ab628a801d05752daea92e7ef97088556b5411a49e8724157ee748a0e40c3efc0962927783fc1a44cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy3742.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
memory/1056-578-0x00000000773E5000-0x00000000773E6000-memory.dmp

Filesize
4KB

Download
memory/1056-584-0x00000000382A0000-0x0000000038844000-memory.dmp

Filesize
5.6MB

Download
memory/1056-577-0x00000000773C8000-0x00000000773C9000-memory.dmp

Filesize
4KB

Download
memory/1056-593-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/1056-579-0x00000000004C0000-0x0000000001714000-memory.dmp

Filesize
18.3MB

Download
memory/1056-580-0x00000000004C0000-0x0000000001714000-memory.dmp

Filesize
18.3MB

Download
memory/1056-581-0x0000000077341000-0x0000000077461000-memory.dmp

Filesize
1.1MB

Download
memory/1056-582-0x0000000071B6E000-0x0000000071B6F000-memory.dmp

Filesize
4KB

Download
memory/1056-583-0x00000000004C0000-0x0000000000502000-memory.dmp

Filesize
264KB

Download
memory/1056-592-0x0000000071B6E000-0x0000000071B6F000-memory.dmp

Filesize
4KB

Download
memory/1056-585-0x00000000381B0000-0x0000000038216000-memory.dmp

Filesize
408KB

Download
memory/1056-586-0x0000000071B60000-0x0000000072310000-memory.dmp

Filesize
7.7MB

Download
memory/1056-587-0x0000000039200000-0x0000000039250000-memory.dmp

Filesize
320KB

Download
memory/1056-588-0x0000000039250000-0x00000000392E2000-memory.dmp

Filesize
584KB

Download
memory/1056-589-0x0000000039320000-0x000000003932A000-memory.dmp

Filesize
40KB

Download
memory/3080-576-0x00000000741A5000-0x00000000741A6000-memory.dmp

Filesize
4KB

Download
memory/3080-575-0x0000000077341000-0x0000000077461000-memory.dmp

Filesize
1.1MB

Download