agenttesla | 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
Size

821KB
MD5

c7ae7bfda7f71b76c6f3213cfe94529e
SHA1

eebcb778056a8fa9a33255141d70ffac41523caf
SHA256

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4
SHA512

70326a8b9f6c7d99f82e32f0116b23e2b879bbea3235b03e7510a080ffbbeabc2620b09be4406a2a2b28b62c0679a3ee56e39b7398991693c80da0d84fe43fd2
SSDEEP

12288:8bBFvUojlMVWIhWL7Uc8Eh8xn8mWpXS0iNrmY:8bPvUohIWIhko9xnVWpCH

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6994888350:AAFqI19L4KkGo55n9P5XziXuBSULg-rdpEc/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Loads dropped DLL 2 IoCs

Processes:

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

pid	process
3112	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
3112	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 api.ipify.org
26 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

pid process

4892 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

flow	ioc
25	api.ipify.org
26	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

pid	process
3112	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
4892	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

description	pid	process	target process
PID 3112 set thread context of 4892	3112	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Drops file in Windows directory 1 IoCs

Processes:

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

pid	process
4892	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
4892	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

pid process

3112 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

description pid process

Token: SeDebugPrivilege 4892 93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

description	pid	process
Token: SeDebugPrivilege	4892	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

description	pid	process	target process
PID 3112 wrote to memory of 4892	3112	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
PID 3112 wrote to memory of 4892	3112	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
PID 3112 wrote to memory of 4892	3112	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
PID 3112 wrote to memory of 4892	3112	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
PID 3112 wrote to memory of 4892	3112	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe	93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe

C:\Users\Admin\AppData\Local\Temp\93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
"C:\Users\Admin\AppData\Local\Temp\93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3112

C:\Users\Admin\AppData\Local\Temp\93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe
"C:\Users\Admin\AppData\Local\Temp\93b75e7f99768d86cb26282a3164d806d36a2c890fb7d367f0cf389a75d304d4.exe"
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsh4BB5.tmp
Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp
Filesize
65B

MD5
1bd5509d17a385dbcebec5b71de8dffc

SHA1
9d70c3f205dddda5e33e5de97c0a09feb6836130

SHA256
2bad3065546719b1e5ff58cb7ca6231b6cb669fb1fd06fb30102e9df00d63e60

SHA512
ca43f9d62ad2c3b950b816274869a1c0bd22b77bbb80fc810783ef23b9317362132fb2f29510bb51f4d00940d8c9038b5700560b6f1e38722b2e65037c148bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp
Filesize
70B

MD5
f603843c4b1146c576a2c9e0826de265

SHA1
5de71ba33c20cfb74c19c706a4a44706d78fb102

SHA256
ada9d1ffc0e78d2e2c05290b4ba1b1b04bc9c97a8f8e084ae0d49e36a9bb9c0c

SHA512
7a5a8ebc1c12193783ae711eb4716c1a2e52d1c4799dcd7f2a29924c246b1c665f456de3eaffd5e9cd7f42e788009e2798d1121c8d695698c86349bff17d5e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp
Filesize
72B

MD5
830f634fb44956d70a234c43be9c0b75

SHA1
1ebe612620e801a4db9256781c95048f7573edc7

SHA256
2a404ae066022b1d313fc3fa263e53ba387aa301e650cbca6379847bb1417381

SHA512
8aa1eeab0f139af87885916505c5dd56ba66771d2083da8d505878b09eaaff8b8c35d765a0770d4b7deca4414f9ae88070f91e9ba119c4dc9b44875bdd344132

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp
Filesize
14B

MD5
2f18f8f3b6d27674881e055d03e7e356

SHA1
7f6bb8aa1fa32dfb63b1da03d45c9aad694eeaf2

SHA256
7a9d5de32c67cb645d31b7d278cee322b643f98342a2d3b350bef4477a806d1a

SHA512
8d9ee0a92f9a0b15213eab47d1cab60258bf34b82664b4744e130d23a7a28d895c687322ae670d04168e3897f31da50999ea12a2c7f730d22be1fc363ef13631

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp
Filesize
37B

MD5
c641bfa28a71f86301ed9e81931da24c

SHA1
59770ef0e9c2658e6aacd708615767660a2dec66

SHA256
df9ef051e1940f576446c4ef6d4ee0f201488c4c0485c26ef2bd3923b3e6a761

SHA512
e2e24f388600ca77ea717c8ebf382ff961cf20ae054d807526dddf28e5a328cbacfb57a6d00ad43afca0a4bc00ebb3f42a169de1fa5787265f468fe9056d093e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4A99.tmp
Filesize
26B

MD5
b7e56998ef81615a40866acb94c2f30a

SHA1
205d7d70bb8077a220d58f0bea2975fef5acf95a

SHA256
0b50a60cc7418cc1aec43be27dad966a1cf62eea10f825cb93d62b265c7e5dd7

SHA512
4f8a5482c7a21fc0f33e7da187ba7e9ef1250729ec30e56cee98c86e96a5307387436639040905f88ac9af24117d8c8094d142a70c2144c5935b1ace877dd731

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4A99.tmp
Filesize
46B

MD5
0553e87a8f74189e757bfada8ab0ab9e

SHA1
f4c99fe7e957926b88a46ae93d2f02b855f6d88f

SHA256
2ccb8084cb357c920cad749dcb3a4c25339f530c9947dfc8e1f1d54cb7b0ce24

SHA512
8df3168e8f53b40ddf4b2e83d4e3cad2c88edfb484292e263ee5264d7992af6f1aa8a3618f5e90a02082a3642a894bfae43853b35abaef833a8aa5b590fc70fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4A99.tmp
Filesize
49B

MD5
1aeb67240bc704bf6cc2fa0a6f52a970

SHA1
0d5cbc71d7e606e7f1a68332be8a7a5a7b4be02d

SHA256
bbd283b5a658ac95e8811c820de41f911e7559e982d9378b5b14c3f7cb5ccb6d

SHA512
c64bdb3c49ff5ca422fe5a4a03fac5145072f7cf692addc23e811ce39c25fc7fcb8e15a07fd770eb8d392d86cfc12c3520b080899a4d2c85646c09b181f2b47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm4A99.tmp
Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr4B08.tmp
Filesize
6B

MD5
50484c19f1afdaf3841a0d821ed393d2

SHA1
c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b

SHA256
6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c

SHA512
d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr4B08.tmp
Filesize
56B

MD5
c599d20101d8532a39fefbec3a4162a9

SHA1
6215d1abf9002230448221e1ebdcb2916df29cb3

SHA256
db2d57c0d52d8989de271b0b5440e043c7c93b4f58092de80a1c1e569f5327b2

SHA512
df32094a64597c11d96b2844ea097c960cf39901508dcdf9d0892e2879706d2b6a178d1f798a1ba22613091c79b11ba468b21ad04f7856c8be3cfd517330df93

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw4A88.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw4AD8.tmp
Filesize
5B

MD5
e2fecc970546c3418917879fe354826c

SHA1
63f1c1dd01b87704a6b6c99fd9f141e0a3064f16

SHA256
ff91566d755f5d038ae698a2cc0a7d4d14e5273afafc37b6f03afda163768fa0

SHA512
3c4a68cbaee94f986515f43305a0e7620c14c30213d4a17db4a3e8a1b996764eb688bf733f472fc52073c2c80bb5229bb29411d7601aefe1c4370e230c341a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw4AD8.tmp
Filesize
12B

MD5
558ec0e73952eb4a395e7f17eb69221e

SHA1
d1cb97bfc8d9fad9eab7d19e685029b5f7084709

SHA256
4d8a1cb0f83d824cec9e15e4d45605ed2cc92ae959602d0cc8873b0125d4cd74

SHA512
698fb90fadb2b22ce78f874dac04c2f0bf72340d39f135e7736afdb9a9b28c9c55a8c6c9f871676134e6d057a90afc2944d1f1e8a117cc0f7a90c8d9b60c5dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw4AD8.tmp
Filesize
60B

MD5
2d45b071bce5847e12b6308c981e1ab7

SHA1
5bc8e983895acd8ed0d5bb4fc48355cf5871ed2c

SHA256
3e9039677f7626a652276f60ecb67b20cd004050af6d7cec32d237591254cb81

SHA512
e838c8c079a8ca453eaa5509df7fe8340329afbf6e6205938ebcac23a98514b7465e8ab7cc9e1be1af10423ab87c8f1797013b58dffcc3d29a35a792d8f05ebc

Download Submit
memory/3112-575-0x00000000779F1000-0x0000000077B11000-memory.dmp

Filesize
1.1MB

Download
memory/3112-576-0x0000000074855000-0x0000000074856000-memory.dmp

Filesize
4KB

Download
memory/4892-577-0x0000000077A78000-0x0000000077A79000-memory.dmp

Filesize
4KB

Download
memory/4892-578-0x0000000077A95000-0x0000000077A96000-memory.dmp

Filesize
4KB

Download
memory/4892-580-0x00000000779F1000-0x0000000077B11000-memory.dmp

Filesize
1.1MB

Download
memory/4892-579-0x00000000004C0000-0x0000000001714000-memory.dmp

Filesize
18.3MB

Download
memory/4892-581-0x000000007221E000-0x000000007221F000-memory.dmp

Filesize
4KB

Download
memory/4892-582-0x00000000004C0000-0x0000000000502000-memory.dmp

Filesize
264KB

Download
memory/4892-583-0x0000000038280000-0x0000000038824000-memory.dmp

Filesize
5.6MB

Download
memory/4892-584-0x0000000035F70000-0x0000000035FD6000-memory.dmp

Filesize
408KB

Download
memory/4892-585-0x0000000072210000-0x00000000729C0000-memory.dmp

Filesize
7.7MB

Download
memory/4892-586-0x00000000390C0000-0x0000000039110000-memory.dmp

Filesize
320KB

Download
memory/4892-587-0x0000000039110000-0x00000000391A2000-memory.dmp

Filesize
584KB

Download
memory/4892-588-0x00000000391E0000-0x00000000391EA000-memory.dmp

Filesize
40KB

Download
memory/4892-591-0x000000007221E000-0x000000007221F000-memory.dmp

Filesize
4KB

Download
memory/4892-592-0x0000000072210000-0x00000000729C0000-memory.dmp

Filesize
7.7MB

Download