agenttesla | 5e921611411a1f372b02c4655a25f021c666b897e6e4f0ff59ef8a8877792c1f

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSK203.exe
Size

495KB
MD5

672127d627b0d1ffdc8f4f6a7f6a4697
SHA1

965c08f135e270201ca61122955104c0de39ad9f
SHA256

c26d121b096af68fc785a4e7fbd821c0c63a64abd2a64c9abf237fe98d0ddf42
SHA512

f3e6c7837c767944d7e14cac75e5844fa217cfdc3d6dcae575a7d0ad2740617cce9e53e6b28f947114708361570972150737c9c1e3663b5b3ee9fd55a2d6a746
SSDEEP

12288:Pbm37Owct5ERd1ZRad1I5eA2bZxeyCNNrmj:Pbms5EP1CAsZxse

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6859247669:AAER1Rty_3TqZr1VmGGzXWMbtAZFtnPCWCU/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Loads dropped DLL 2 IoCs

Processes:

MSK203.exe

pid process

2748 MSK203.exe
2748 MSK203.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

49 api.ipify.org
48 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

MSK203.exe

pid process

3864 MSK203.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

MSK203.exeMSK203.exe

pid process

2748 MSK203.exe
3864 MSK203.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

MSK203.exe

description pid process target process

PID 2748 set thread context of 3864 2748 MSK203.exe MSK203.exe
Drops file in Windows directory 1 IoCs

Processes:

MSK203.exe

description ioc process

File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi MSK203.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MSK203.exe

pid process

3864 MSK203.exe
3864 MSK203.exe
3864 MSK203.exe
3864 MSK203.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MSK203.exe

pid process

2748 MSK203.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSK203.exe

description pid process

Token: SeDebugPrivilege 3864 MSK203.exe

pid	process
2748	MSK203.exe
2748	MSK203.exe

flow	ioc
49	api.ipify.org
48	api.ipify.org

pid	process
3864	MSK203.exe

pid	process
2748	MSK203.exe
3864	MSK203.exe

description	pid	process	target process
PID 2748 set thread context of 3864	2748	MSK203.exe	MSK203.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	MSK203.exe

pid	process
3864	MSK203.exe
3864	MSK203.exe
3864	MSK203.exe
3864	MSK203.exe

pid	process
2748	MSK203.exe

description	pid	process
Token: SeDebugPrivilege	3864	MSK203.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

MSK203.exe

description	pid	process	target process
PID 2748 wrote to memory of 3864	2748	MSK203.exe	MSK203.exe
PID 2748 wrote to memory of 3864	2748	MSK203.exe	MSK203.exe
PID 2748 wrote to memory of 3864	2748	MSK203.exe	MSK203.exe
PID 2748 wrote to memory of 3864	2748	MSK203.exe	MSK203.exe
PID 2748 wrote to memory of 3864	2748	MSK203.exe	MSK203.exe

C:\Users\Admin\AppData\Local\Temp\MSK203.exe
"C:\Users\Admin\AppData\Local\Temp\MSK203.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\MSK203.exe
  "C:\Users\Admin\AppData\Local\Temp\MSK203.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4352 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsf132A.tmp

Filesize
12B

MD5
c69f9017146365e0214351f8fe3c5837

SHA1
1653405a133cee32745a9a2bffaeca4429d95532

SHA256
e7137bbf941ddb679efbbb3043769122f659a0932d056894f411b734fb1ffddd

SHA512
fa5a9dad8862c6614fd148c9800f3aec0b2a842f1f3ee47f22bbc426133bd7659bdb2cfac45d25288ea6a4c4f1b29163b8ae764c0d15c008935a7b9606c67977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf132A.tmp

Filesize
36B

MD5
8228ca5fc72f34831340b0bff001b669

SHA1
4fac474141ef925f7e0b26382c1fdcecd0620bac

SHA256
c406003ae184867a55dfee4b99472de5cf14542bc2d40086ee114851d0fbe4f0

SHA512
3588e614b94e4d24d5331857d7e69924322f04d76734dd3c44be289a73e7b538516a2c4e4f63472c89e31bbc17d983c3ce405eca447a638c9678c95598b75eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl1483.tmp

Filesize
26B

MD5
51363b8d2e5583ff2bfea0ad020f8ac0

SHA1
bf73704dedd0ed2a6c383f9370d7ce27e19d79ed

SHA256
939fb56ca6afb8ec7f034eb2c92880425c966e10a113c87a979130de27701210

SHA512
b0217d6ed0dcf3f677cc0e3a890c837968ec33ea5e2c4ba3f324305a8cb5a07d898b9742d7c37d4c3590e0306348af8e07f24fb5b6f68193a5bcd390b7ddd3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp1143.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp1192.tmp

Filesize
7B

MD5
67cfa7364c4cf265b047d87ff2e673ae

SHA1
56e27889277981a9b63fcf5b218744a125bbc2fa

SHA256
639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713

SHA512
17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp1192.tmp

Filesize
15B

MD5
aec87a5b696e973fd725cfd7fccef0bb

SHA1
4c0cd9bd8adbc7ad00627bc192c73d3aa23f0f02

SHA256
a48c987be1252d84c855810b44ad498f5ab67b9b8bfea471b0e1ec5a7f480fc9

SHA512
8cf3daf380683412911f7d0719c48a9ffa313d09016f6c811f41a16416ad0c3abba2cd34a57ca912ca1853b12665824732a480ec15f127a33aa1476d7479d499

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp1192.tmp

Filesize
31B

MD5
bebdffa37358b59c6d03d4e3947c6f6c

SHA1
bb3d6a0095f4d6d2dac15bb64ffd4775952bf547

SHA256
3e3573216f1f8de74e0c00566b297b31f2c5b0e1015114d370fb84cfcdbe97d3

SHA512
651f98e9cf38c74647806c574f807c6a84d3b60c25aa701c00ad0cac409ff99fa490169ee033ba4ab1aa97dd8010c887d21d1dd1219bbfe5ae81ab39991efdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp1192.tmp

Filesize
34B

MD5
2a9c98ea1aa7a05604ab51073fcd45c7

SHA1
3f970ebeb4f5ef40f8bb1e16d64ab410c3af3962

SHA256
ba493b1e2704c417662224230bffa2effae24f9fbf8c56a7bcb93ac02bc2abd9

SHA512
fe999f6186c4bb20113cfdddba193cf777941a9ce223f0c6d8f85dc5e2668df6f820922d7b75f255ec2d5355f1881f3867686363f4c5f630ffa8b48b079d7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp1192.tmp

Filesize
41B

MD5
088d509592627d226179707a88a1f4ee

SHA1
8c03f8a469d4dc4e7f65da8daa8c0e9cdebbe9f4

SHA256
7938b90dbe50e63bd3bc2b7ae77d43ba7c01c15354ab01f9a0b63ebac56b796d

SHA512
f36c70cbb4dbb09a8081b472ceb712b983a676d5a34dc19ec4d0d95126c4e6b80cdd66640e304eb35445503255c9aac22edf386bf6782151844e8df4e1874d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp1192.tmp

Filesize
47B

MD5
a44e5b9b8830beb622f716549767927d

SHA1
78160ea5ffaa4c2e170780a8c18fd36a47724cf7

SHA256
f90559b15f9f45cefd05f0e7b0ec4b7b254a22a2f2cc65eabd6a40ed0c889137

SHA512
ce3a50dc422773b2543260285c7e62617c104c797e4bb4cb16a3d1fc80d18fb6285120e71ba28522061e04c7b89954f5154a490d323ba695493d48a6fd0e43af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp1192.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp122F.tmp

Filesize
11B

MD5
f9e81875c2ac80cd228ff7615d6e6183

SHA1
bc60a68ab8522806b30affd832b5866643ec2031

SHA256
54d26d86b2ebde0a52271df5d2bcc911d881ada35d5716076d0411672f78e7b1

SHA512
6173811b6e692e85ac091f9e53ad9e392dc9853087756dae6907ae45b73704c1084ad64bb9730871b6f7dd16d871dfcf089fcf19746cbee68b783a691937d1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp122F.tmp

Filesize
50B

MD5
4361035762e4fb839ba17f673e627487

SHA1
7389b1245ba4b9c14c3d05f6cd1184a699733b5b

SHA256
889b722b9bb895295e755cbaba4d812a9e317450df025fe3290e77c4244054f2

SHA512
d7d214e511c3df0c0a173df1c724460e966857b22098e85b49e7c7cb90937abd256d056112479ba66f62db1279c4c8d7e91dbc2b4cc08c6aba4c6f0b4da237b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1096.tmp

Filesize
62B

MD5
903e0572b61353c5e9e2f94582bd26d9

SHA1
bf6d18b2607a519c4486e845921b7070e53cb8eb

SHA256
fcc0de8ebc57a00f3f48bc8ba2e93cedc7efe9ecc9600ad63cdd1ba1d6c4fdea

SHA512
3857e85783aa8af1cd075e91729bfd471c3df9d93d944501bf8bd663df9ad1348ee9d81403505851d468beaea9a3ac0ad6799eb4b2e328176c27d32cdf206b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1096.tmp

Filesize
65B

MD5
1bd5509d17a385dbcebec5b71de8dffc

SHA1
9d70c3f205dddda5e33e5de97c0a09feb6836130

SHA256
2bad3065546719b1e5ff58cb7ca6231b6cb669fb1fd06fb30102e9df00d63e60

SHA512
ca43f9d62ad2c3b950b816274869a1c0bd22b77bbb80fc810783ef23b9317362132fb2f29510bb51f4d00940d8c9038b5700560b6f1e38722b2e65037c148bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1096.tmp

Filesize
68B

MD5
acc8e2dc8ef177e828af296be96c6a4e

SHA1
7cc55fd8ac9beeedff4b42acbe7a99d0559f178c

SHA256
860e81e337b378b1d03c4f9205ef876d901e44758d7068a43f7d80eaec9c59aa

SHA512
ba120dda31785f9ff6d9c4ba55eee99c8c0fffa7cc84afac054387da49dd5085e454996a4acd9018cfb4eea887e7610b6265533b9be8bbb2c5063ed071bb9e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1096.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1096.tmp

Filesize
12B

MD5
e456acec0ef7fda3aef06b03bb007e2f

SHA1
a7168146dd22139e81563b24beb736179d1c8370

SHA256
73842f82df7cfef99c471c4301ef8130ddcd65d831b069b880bd71695d2bf607

SHA512
c641ae2e8961562f5fd0f2d258742b024c6564b3f3b6a1d3d642d72bf47a1d6c208055e31dc467a3ea41b7bac658bcbab6e1746daf08fe2484f0c860fb88d475

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz1096.tmp

Filesize
56B

MD5
2cb7f4baa71de08f1ae6dba013610a25

SHA1
8edf21d90c6e80a0a011f8f1bc5e7e06df56a15c

SHA256
8e2bcf9feac393966111f1f2da0442a81206f175f5c983d54c155dc9dca8b35c

SHA512
b4de96747cd2c4ec98837f4634afc86b80c0c186d58023b37e2f468d97ca8c3cf2c19a4ccb4e4456e73b2629f65376d9934119542ca4e990a0c277e873cb77cc

Download Submit
memory/2748-575-0x0000000077871000-0x0000000077991000-memory.dmp

Filesize
1.1MB

Download
memory/2748-576-0x00000000746D5000-0x00000000746D6000-memory.dmp

Filesize
4KB

Download
memory/3864-577-0x00000000778F8000-0x00000000778F9000-memory.dmp

Filesize
4KB

Download
memory/3864-578-0x0000000077915000-0x0000000077916000-memory.dmp

Filesize
4KB

Download
memory/3864-580-0x0000000077871000-0x0000000077991000-memory.dmp

Filesize
1.1MB

Download
memory/3864-579-0x0000000000470000-0x00000000016C4000-memory.dmp

Filesize
18.3MB

Download
memory/3864-581-0x000000007209E000-0x000000007209F000-memory.dmp

Filesize
4KB

Download
memory/3864-582-0x0000000000470000-0x00000000004B4000-memory.dmp

Filesize
272KB

Download
memory/3864-583-0x0000000037FA0000-0x0000000038544000-memory.dmp

Filesize
5.6MB

Download
memory/3864-584-0x0000000072090000-0x0000000072840000-memory.dmp

Filesize
7.7MB

Download
memory/3864-585-0x00000000386B0000-0x0000000038716000-memory.dmp

Filesize
408KB

Download
memory/3864-587-0x0000000038FB0000-0x0000000039000000-memory.dmp

Filesize
320KB

Download
memory/3864-589-0x000000007209E000-0x000000007209F000-memory.dmp

Filesize
4KB

Download
memory/3864-591-0x0000000072090000-0x0000000072840000-memory.dmp

Filesize
7.7MB

Download