agenttesla | b548623f00c545157704d1670abbb6708196045d5cf2a4d2ea25e7663f508410

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe
Size

590KB
MD5

9768c048c979aeeeeb051574d452b626
SHA1

414d48d77fc71d29e58a92d02fa2d770fb854339
SHA256

19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba
SHA512

9153c973c3ed1f5f1964671e084b1bd764d9850fd87feab3a78acf417178d8f32ee6c16c044020979066bf4b2ad7e2e1e3449a7df3954f78ab9ce9ea649c9bce
SSDEEP

12288:QG05Z3OJwnoJIn8f/FAOeanklK9N8QGMi7B1mSwIhCjVnj:QGz4om8ftAOLKwuQWB1mSlCjVj

Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.synergyinnovationsgroup.com
Port:
587
Username:
[email protected]
Password:
C@p-Y8BoHc#?
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Loads dropped DLL 10 IoCs

pid	Process
2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe
2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe
2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe
2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe
2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe
2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe
2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe
2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe
2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe
2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4792	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe
4792	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2752 set thread context of 4792	2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe	102

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Bydemaadens.pea	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\barberedes\kramer.ini	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4792	wab.exe
4792	wab.exe
4792	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	wab.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 4792	2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe	102
PID 2752 wrote to memory of 4792	2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe	102
PID 2752 wrote to memory of 4792	2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe	102
PID 2752 wrote to memory of 4792	2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe	102
PID 2752 wrote to memory of 4792	2752	19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe	102

C:\Users\Admin\AppData\Local\Temp\19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe
"C:\Users\Admin\AppData\Local\Temp\19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Program Files (x86)\windows mail\wab.exe
  "C:\Users\Admin\AppData\Local\Temp\19b8eabc143b4307a4496fec6012965f918e18d0e33a989292568f37a4c5f1ba.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4668,i,16315016104747277319,5510969007830467313,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
1⤵
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso6A85.tmp\LangDLL.dll

Filesize
5KB

MD5
549ee11198143574f4d9953198a09fe8

SHA1
2e89ba5f30e1c1c4ce517f28ec1505294bb6c4c1

SHA256
131aa0df90c08dce2eecee46cce8759e9afff04bf15b7b0002c2a53ae5e92c36

SHA512
0fb4cea4fd320381fe50c52d1c198261f0347d6dcee857917169fcc3e2083ed4933beff708e81d816787195cca050f3f5f9c5ac9cc7f781831b028ef5714bec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A85.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A85.tmp\UserInfo.dll

Filesize
4KB

MD5
f8b6dd1f9620be4ef2ad1e81fb6b79fa

SHA1
f06c8c8650335bace41c8dbe73307cbe4e61b3b1

SHA256
a921cc9cc4af332be96186d60d2539cb413dfa44cfd73e85687f9338505ff85e

SHA512
f15811088ecde4cd0c038db2c278b7214e41728e382b25c65c2eb491bc0379c075841398e8c99e8cceba8be7e8342bc69d35836ebe9b12ebebff48d01d5fa61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A85.tmp\nsDialogs.dll

Filesize
9KB

MD5
b7d61f3f56abf7b7ff0d4e7da3ad783d

SHA1
15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

SHA256
89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

SHA512
6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso6A85.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
memory/2752-43-0x0000000077661000-0x0000000077781000-memory.dmp

Filesize
1.1MB

Download
memory/2752-44-0x00000000742B5000-0x00000000742B6000-memory.dmp

Filesize
4KB

Download
memory/4792-50-0x0000000000E00000-0x0000000002054000-memory.dmp

Filesize
18.3MB

Download
memory/4792-56-0x0000000038030000-0x0000000038096000-memory.dmp

Filesize
408KB

Download
memory/4792-51-0x0000000077661000-0x0000000077781000-memory.dmp

Filesize
1.1MB

Download
memory/4792-45-0x00000000776E8000-0x00000000776E9000-memory.dmp

Filesize
4KB

Download
memory/4792-52-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/4792-53-0x0000000000E00000-0x0000000000E40000-memory.dmp

Filesize
256KB

Download
memory/4792-54-0x0000000038400000-0x00000000389A4000-memory.dmp

Filesize
5.6MB

Download
memory/4792-46-0x0000000077705000-0x0000000077706000-memory.dmp

Filesize
4KB

Download
memory/4792-57-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download
memory/4792-58-0x00000000382F0000-0x0000000038340000-memory.dmp

Filesize
320KB

Download
memory/4792-59-0x00000000389B0000-0x0000000038A42000-memory.dmp

Filesize
584KB

Download
memory/4792-60-0x0000000038340000-0x000000003834A000-memory.dmp

Filesize
40KB

Download
memory/4792-61-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/4792-63-0x0000000074360000-0x0000000074B10000-memory.dmp

Filesize
7.7MB

Download