agenttesla | 0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51

Analysis

max time kernel
141s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe
Size

760KB
MD5

f87f3da7e4319dc7c9aa712ad633040e
SHA1

a2a0029312e054f01a045b5af463b118779c8951
SHA256

0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51
SHA512

ecf179b368273c02ed5033cbd1fc122f95f235f27bf40c6d8dbfd606ad2439a13269de40e468da462c99b7b8141c990b4b3598fec365baee2ca2847319437918
SSDEEP

12288:HjfLII7ciGmjKPVKu3wKD2NrfcKDd6LgQ58a8okHZcIh6odO7arRiDOUij:DL+l6KPV/w1rflDd6Ld5tiHroodwERi6

Score

10^/10

agenttesla asyncrat remcos default host discovery execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.globalifb.com
Port:
587
Username:
[email protected]
Password:
$;oGh3?)CQiY
Email To:
[email protected]

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

104.129.27.19:6606

104.129.27.19:7707

104.129.27.19:8808

Mutex

ppUf6LQ00ujy

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

104.129.27.19:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%WinDir%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_lojuxaaqmwpnhvc
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000019379-53.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2264	powershell.exe
2624	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2632	dllhostservices.exe
2052	crss.exe
1152	svchostservice.exe
3004	HWMonitor.exe

Loads dropped DLL 5 IoCs

pid	Process
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2088	MSBuild.exe
2052	crss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWMonitor = "C:\\Windows\\system32\\HWMonitor\\HWMonitor.exe"	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe	crss.exe
File created	C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe	HWMonitor.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 2088	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostservice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhostservices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HWMonitor.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2724	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2052	crss.exe
3004	HWMonitor.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2088	MSBuild.exe
2088	MSBuild.exe
2624	powershell.exe
2264	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	MSBuild.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2632	dllhostservices.exe
2088	MSBuild.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2624	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	31
PID 2336 wrote to memory of 2624	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	31
PID 2336 wrote to memory of 2624	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	31
PID 2336 wrote to memory of 2624	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	31
PID 2336 wrote to memory of 2724	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	33
PID 2336 wrote to memory of 2724	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	33
PID 2336 wrote to memory of 2724	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	33
PID 2336 wrote to memory of 2724	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	33
PID 2336 wrote to memory of 2088	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	35
PID 2336 wrote to memory of 2088	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	35
PID 2336 wrote to memory of 2088	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	35
PID 2336 wrote to memory of 2088	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	35
PID 2336 wrote to memory of 2088	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	35
PID 2336 wrote to memory of 2088	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	35
PID 2336 wrote to memory of 2088	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	35
PID 2336 wrote to memory of 2088	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	35
PID 2336 wrote to memory of 2088	2336	0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe	35
PID 2088 wrote to memory of 2632	2088	MSBuild.exe	37
PID 2088 wrote to memory of 2632	2088	MSBuild.exe	37
PID 2088 wrote to memory of 2632	2088	MSBuild.exe	37
PID 2088 wrote to memory of 2632	2088	MSBuild.exe	37
PID 2088 wrote to memory of 2052	2088	MSBuild.exe	38
PID 2088 wrote to memory of 2052	2088	MSBuild.exe	38
PID 2088 wrote to memory of 2052	2088	MSBuild.exe	38
PID 2088 wrote to memory of 2052	2088	MSBuild.exe	38
PID 2088 wrote to memory of 1152	2088	MSBuild.exe	39
PID 2088 wrote to memory of 1152	2088	MSBuild.exe	39
PID 2088 wrote to memory of 1152	2088	MSBuild.exe	39
PID 2088 wrote to memory of 1152	2088	MSBuild.exe	39
PID 2052 wrote to memory of 2264	2052	crss.exe	40
PID 2052 wrote to memory of 2264	2052	crss.exe	40
PID 2052 wrote to memory of 2264	2052	crss.exe	40
PID 2052 wrote to memory of 2264	2052	crss.exe	40
PID 2052 wrote to memory of 3004	2052	crss.exe	42
PID 2052 wrote to memory of 3004	2052	crss.exe	42
PID 2052 wrote to memory of 3004	2052	crss.exe	42
PID 2052 wrote to memory of 3004	2052	crss.exe	42

C:\Users\Admin\AppData\Local\Temp\0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe
"C:\Users\Admin\AppData\Local\Temp\0d2d25f45c008b22385ef8f7a21d9d51d0269c0f55802da3ef34c522f6ef7f51.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PZWVpHoNkCgPF.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PZWVpHoNkCgPF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF316.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dllhostservices.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dllhostservices.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\crss.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\crss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Windows\system32\HWMonitor\HWMonitor.exe"' -PropertyType 'String'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2264
  - - C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe
      "C:\Windows\system32\HWMonitor\HWMonitor.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      PID:3004
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF316.tmp

Filesize
1KB

MD5
591949f49714779d2373ae5e00006b8d

SHA1
490439d4e0f7f1d8817f8ee8bee45bef1a49d7c0

SHA256
452c20bbb70a2e2526137ada1827472a37ad32aeb49be7650d6d193b0baaa562

SHA512
b1d3e34aa1e84b019694c2d84a8bd623cf7545db46968df0c23dec8e0fa5f9558637657e99a79ff949db3c50c145480c364f41d885d20c1d3b9571f008a165f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d648cdf91ba13c385d288afd44c82825

SHA1
6992ede2bd07b2539583fa8955bd4551a3122227

SHA256
2572ba03bc46b2cd759d712a5bed4aa63984852b47c919ef09cb7313ac98bf05

SHA512
cb66d9022053b765d2912d9aff0ea5c33ba7be9b3df8bf95ce6890e37022e5fa942ccd166e91ba256b0115353437be705b077b28379c202797698c3026050eee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe

Filesize
45KB

MD5
962b8a0da7f38404ae75698d445d2f82

SHA1
afefd1bc3f70d9a03621a22715ea1001a8d4427b

SHA256
940d979a6e48061d85288ff57e6865087d7c0362774bd7d2caebfdc7b02914eb

SHA512
e1092a2f4c3877eca9d6f67b4da78fecae66bc5fd49d190f796358c245b005a3c6fbd49496bfb4b1ea688c6719c0ca4f963f49b192c97dcb518d5cd4c42bbc68

Download Submit
C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe

Filesize
43.5MB

MD5
8dea49af3a9add7d5506589db7044518

SHA1
4e95b1a39d345294c7408ce014c56fdf73713236

SHA256
a18738498148f723563d8fb0eb7000043c8ef3f75754050fd5976d792d0ef58c

SHA512
8180366dca6499c8bb09d4dd18da641f8eae6dbd3899e669c570a75c12bfaaab1c6cff6bdbc31e78c5b9e70d78be53271e8cf9291a95fa60bcf772761c81f3b5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\crss.exe

Filesize
10KB

MD5
caf9747a01a99245a0b3df133dd85191

SHA1
c8429f9d5d1d9768e22019fcac5f0d4b59c006a6

SHA256
6d0d83d060bc279825425757101698e702f3e71c53639270c63b24216fcbcd3f

SHA512
efde236d9924598aa1b3b54b1711b9bbea194bd4a392781aa3c71dca55a0e0188bc8452468497538ee7444ee8803ab4c5865f821fd7aba60b811ed72ebd57ce7

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dllhostservices.exe

Filesize
36KB

MD5
64836f3e257a5b415711abc3b6ea6323

SHA1
f52f8588801554eaf4e495784b84f830c4afeaf4

SHA256
3f02a631dce0c4a4acd39ca731eae0ebda74ea65bfe90573d2ab226bab1dc234

SHA512
f3418f421ff0d0bfefd37e5ad75f9d2ffe40953333b90a01ab015942f36333fc4c0e03e468e725e6d8bb5573d9c058aeb889336fee77099db2ddfdfd1a7822f9

Download Submit
memory/1152-55-0x00000000013C0000-0x00000000013D2000-memory.dmp

Filesize
72KB

Download
memory/2052-48-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2088-18-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2088-14-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2088-24-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2088-23-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2088-56-0x00000000020B0000-0x00000000020C9000-memory.dmp

Filesize
100KB

Download
memory/2088-28-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2088-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-20-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2088-33-0x00000000020B0000-0x00000000020C9000-memory.dmp

Filesize
100KB

Download
memory/2088-16-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2336-6-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2336-29-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/2336-8-0x0000000005420000-0x00000000054BC000-memory.dmp

Filesize
624KB

Download
memory/2336-5-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-4-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/2336-3-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2336-7-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2336-1-0x0000000000A10000-0x0000000000AD2000-memory.dmp

Filesize
776KB

Download
memory/2336-2-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-59-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2632-57-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2632-76-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2632-78-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2632-81-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3004-72-0x0000000000F70000-0x0000000000F78000-memory.dmp

Filesize
32KB

Download