agenttesla | 98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

Resubmissions

28-05-2024 08:39

240528-kklq6scg8y 10

26-05-2024 17:22

240526-vxlxtaef89 10

Analysis

max time kernel
15s
max time network
17s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.officeemailbackup.com
Port:
587
Username:
[email protected]
Password:
*L_n.e3}D?ky

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.officeemailbackup.com
Port:
587
Username:
[email protected]
Password:
*L_n.e3}D?ky
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Text Document.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	New Text Document.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.exeDefault.exe

pid process

2624 csrss.exe
3704 Default.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 api.ipify.org
26 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

csrss.exe

description pid process target process

PID 2624 set thread context of 3092 2624 csrss.exe jsc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jsc.exe

pid process

3092 jsc.exe
3092 jsc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

New Text Document.execsrss.exejsc.exe

description pid process

Token: SeDebugPrivilege 3552 New Text Document.exe
Token: SeDebugPrivilege 2624 csrss.exe
Token: SeDebugPrivilege 3092 jsc.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jsc.exe

pid process

3092 jsc.exe

pid	process
2624	csrss.exe
3704	Default.exe

flow	ioc
25	api.ipify.org
26	api.ipify.org

description	pid	process	target process
PID 2624 set thread context of 3092	2624	csrss.exe	jsc.exe

pid	process
3092	jsc.exe
3092	jsc.exe

description	pid	process
Token: SeDebugPrivilege	3552	New Text Document.exe
Token: SeDebugPrivilege	2624	csrss.exe
Token: SeDebugPrivilege	3092	jsc.exe

pid	process
3092	jsc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

New Text Document.execsrss.exe

description	pid	process	target process
PID 3552 wrote to memory of 2624	3552	New Text Document.exe	csrss.exe
PID 3552 wrote to memory of 2624	3552	New Text Document.exe	csrss.exe
PID 3552 wrote to memory of 3704	3552	New Text Document.exe	Default.exe
PID 3552 wrote to memory of 3704	3552	New Text Document.exe	Default.exe
PID 2624 wrote to memory of 2000	2624	csrss.exe	msbuild.exe
PID 2624 wrote to memory of 2000	2624	csrss.exe	msbuild.exe
PID 2624 wrote to memory of 2000	2624	csrss.exe	msbuild.exe
PID 2624 wrote to memory of 3092	2624	csrss.exe	jsc.exe
PID 2624 wrote to memory of 3092	2624	csrss.exe	jsc.exe
PID 2624 wrote to memory of 3092	2624	csrss.exe	jsc.exe
PID 2624 wrote to memory of 3092	2624	csrss.exe	jsc.exe
PID 2624 wrote to memory of 3092	2624	csrss.exe	jsc.exe
PID 2624 wrote to memory of 3092	2624	csrss.exe	jsc.exe
PID 2624 wrote to memory of 3092	2624	csrss.exe	jsc.exe
PID 2624 wrote to memory of 3092	2624	csrss.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Local\Temp\a\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\a\csrss.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
3⤵
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3092

C:\Users\Admin\AppData\Local\Temp\a\Default.exe
"C:\Users\Admin\AppData\Local\Temp\a\Default.exe"
2⤵
- Executes dropped EXE
PID:3704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a\Default.exe
Filesize
874KB

MD5
5342dce42b8256f33b5387ae829c0231

SHA1
6e199a9e7d35ecd6ca085f43c441cfb2028bddf3

SHA256
e812a611cdb2998e688ca8bb2a9066d58491db98ed1a503ad42cfad5a9f41ad8

SHA512
91d270a482e3a7494de79ffe6afc9d58af9c266a1187e63ae3ce4ff5967550fffebd685fcdfdc045ed99bfe88a9c527fd8f46e45a04e2ffbab0270cdc6b5f968

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\csrss.exe
Filesize
794KB

MD5
54799fee84c11edd9e0b221612bf2631

SHA1
bfbdc60eb14ca180b2143f3a16d38d73cf9126f5

SHA256
5e55822bd00aac0865436cac6f7a6a8f881cd3ce027474a5b741f43a94c84095

SHA512
a903c9b729eabe05e258cc026e01539f22cd9dc98d625b8ccbfbf5900fafc5acaf063d01f9a7bd0d0be84890bd30fb85f23cce9006f65f86d4b8460ab2dafd08

Download Submit
memory/2624-29-0x000002BA7F590000-0x000002BA7F596000-memory.dmp

Filesize
24KB

Download
memory/2624-30-0x000002BA7F800000-0x000002BA7F894000-memory.dmp

Filesize
592KB

Download
memory/2624-14-0x000002BA64FF0000-0x000002BA6502C000-memory.dmp

Filesize
240KB

Download
memory/2624-15-0x00007FF992430000-0x00007FF992EF1000-memory.dmp

Filesize
10.8MB

Download
memory/2624-34-0x00007FF992430000-0x00007FF992EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3092-36-0x0000000006DE0000-0x0000000006E7C000-memory.dmp

Filesize
624KB

Download
memory/3092-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3092-32-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/3092-33-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/3092-35-0x0000000006CF0000-0x0000000006D40000-memory.dmp

Filesize
320KB

Download
memory/3092-37-0x0000000006F20000-0x0000000006FB2000-memory.dmp

Filesize
584KB

Download
memory/3092-38-0x0000000006EA0000-0x0000000006EAA000-memory.dmp

Filesize
40KB

Download
memory/3552-0-0x00007FF992433000-0x00007FF992435000-memory.dmp

Filesize
8KB

Download
memory/3552-1-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/3552-2-0x00007FF992430000-0x00007FF992EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3552-40-0x00007FF992430000-0x00007FF992EF1000-memory.dmp

Filesize
10.8MB

Download
memory/3704-27-0x00000000007D0000-0x00000000008AC000-memory.dmp

Filesize
880KB

Download