Overview
overview
10Static
static
10agentesla/...2b.exe
windows7-x64
3agentesla/...2b.exe
windows10-2004-x64
3agentesla/...f8.exe
windows7-x64
3agentesla/...f8.exe
windows10-2004-x64
3agentesla/...c3.exe
windows7-x64
10agentesla/...c3.exe
windows10-2004-x64
10agentesla/...71.exe
windows7-x64
10agentesla/...71.exe
windows10-2004-x64
10agentesla/...1c.exe
windows7-x64
3agentesla/...1c.exe
windows10-2004-x64
3agentesla/...1e.exe
windows7-x64
3agentesla/...1e.exe
windows10-2004-x64
3agentesla/...f5.exe
windows7-x64
3agentesla/...f5.exe
windows10-2004-x64
3agentesla/...3d.exe
windows7-x64
3agentesla/...3d.exe
windows10-2004-x64
8agentesla/...e2.exe
windows7-x64
10agentesla/...e2.exe
windows10-2004-x64
10agentesla/...f7.exe
windows7-x64
10agentesla/...f7.exe
windows10-2004-x64
10agentesla/...ce.exe
windows7-x64
3agentesla/...ce.exe
windows10-2004-x64
3agentesla/...34.exe
windows7-x64
10agentesla/...34.exe
windows10-2004-x64
10agentesla/...1c.exe
windows7-x64
3agentesla/...1c.exe
windows10-2004-x64
3agentesla/...9f.exe
windows7-x64
3agentesla/...9f.exe
windows10-2004-x64
3agentesla/...ad.exe
windows7-x64
3agentesla/...ad.exe
windows10-2004-x64
3agentesla/...d1.exe
windows7-x64
3agentesla/...d1.exe
windows10-2004-x64
3Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 15:08
Behavioral task
behavioral1
Sample
agentesla/00c0a561a336fa0fff7f424c06c32ba0034970f890715693f8c58115ac45912b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
agentesla/00c0a561a336fa0fff7f424c06c32ba0034970f890715693f8c58115ac45912b.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
agentesla/04ec444b81fb470e6021f3600bdc6b3abd8bd4c73b5646defd50dc9c1f57b2f8.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
agentesla/04ec444b81fb470e6021f3600bdc6b3abd8bd4c73b5646defd50dc9c1f57b2f8.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
agentesla/0589b1a23462a22c92aba14d099cdca5d8be0b78d333de15a8de5e3881ba5ac3.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
agentesla/0589b1a23462a22c92aba14d099cdca5d8be0b78d333de15a8de5e3881ba5ac3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
agentesla/06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
agentesla/06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
agentesla/06f3088733eb1658bf5ea5bba40773e1803262da05bb837793e1388ca37aac1c.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
agentesla/06f3088733eb1658bf5ea5bba40773e1803262da05bb837793e1388ca37aac1c.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
agentesla/071493a405eafb4ef8d835b9c34e6214de90efe7bed6ebff2644e7eb0a5ea21e.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
agentesla/071493a405eafb4ef8d835b9c34e6214de90efe7bed6ebff2644e7eb0a5ea21e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
agentesla/08bcd543875afc446c8fb959a0b46e3c33a59cd813816490c57085f3952a55f5.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
agentesla/08bcd543875afc446c8fb959a0b46e3c33a59cd813816490c57085f3952a55f5.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
agentesla/0a733b1668fe2f6642d326abbf56034b7024564b9f81f142bb84f8acba93653d.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
agentesla/0a733b1668fe2f6642d326abbf56034b7024564b9f81f142bb84f8acba93653d.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
agentesla/0a9e668b23fdd273acb8ac8096e435e09f581d67203cf2475ef6f90e6b0965e2.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
agentesla/0a9e668b23fdd273acb8ac8096e435e09f581d67203cf2475ef6f90e6b0965e2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
agentesla/0aab30131f78d4a2565ceecc5f11800263dd49c7c4f010b8c51617bfe76370f7.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
agentesla/0aab30131f78d4a2565ceecc5f11800263dd49c7c4f010b8c51617bfe76370f7.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
agentesla/0ac34ce3065de2dac257227088c89592b8ae4e61706a0c1598870ac8eef835ce.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
agentesla/0ac34ce3065de2dac257227088c89592b8ae4e61706a0c1598870ac8eef835ce.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
agentesla/0b37019099dde1c099b071932815a725c85df546cbc156fc6db28fd0dc46e934.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
agentesla/0b37019099dde1c099b071932815a725c85df546cbc156fc6db28fd0dc46e934.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
agentesla/0cb8eb139ca9874d3cf55541e6c7c8bf2810e0891454f4714e9f93d7fcc2131c.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
agentesla/0cb8eb139ca9874d3cf55541e6c7c8bf2810e0891454f4714e9f93d7fcc2131c.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
agentesla/0d558324d41e1186934cf86814f31bbfc9cf376476f9d274f093a6e72f1dc99f.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
agentesla/0d558324d41e1186934cf86814f31bbfc9cf376476f9d274f093a6e72f1dc99f.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
agentesla/0f8aed3c459e2a6598e527fbd694b83816ebe911b9a89899678266a0cc1ef7ad.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
agentesla/0f8aed3c459e2a6598e527fbd694b83816ebe911b9a89899678266a0cc1ef7ad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
agentesla/10b4fa5dd267a1cda86efb0abea33722b911ea6972d113b66af613fd42f6f1d1.exe
Resource
win7-20240708-en
Behavioral task
behavioral32
Sample
agentesla/10b4fa5dd267a1cda86efb0abea33722b911ea6972d113b66af613fd42f6f1d1.exe
Resource
win10v2004-20241007-en
General
-
Target
agentesla/06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe
-
Size
366KB
-
MD5
b29263b5d35ffce3eef6a54549966724
-
SHA1
23d474b87f0698a3c954aeeffc9e2b7777aa8731
-
SHA256
06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871
-
SHA512
ecdb4111613d82b06d23cb6d57ce0c1e48f06e8fa44e9c32a478a58e377bfe3170037e049035cc8b90dda74b228e52962035378c8b01cf9c6c2bd9120aaf7688
-
SSDEEP
6144:OOTNj/znzNEu816TkUzhD6dmo9FUiK2FpSMtZSYVM/SxRCVEt1Lakl:3j/znzNEu816T5zhD6Yq5Fp37SYbTaML
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.globalifb.com - Port:
587 - Username:
[email protected] - Password:
$;oGh3?)CQiY - Email To:
[email protected]
Extracted
remcos
1.7 Pro
Host
104.129.27.19:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%WinDir%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_lojuxaaqmwpnhvc
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
asyncrat
0.5.8
Default
104.129.27.19:6606
104.129.27.19:7707
104.129.27.19:8808
ppUf6LQ00ujy
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe family_asyncrat -
Executes dropped EXE 4 IoCs
Processes:
dllhostservices.execrss.exesvchostservice.exeHWMonitor.exepid process 2872 dllhostservices.exe 2808 crss.exe 2928 svchostservice.exe 2496 HWMonitor.exe -
Loads dropped DLL 5 IoCs
Processes:
06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.execrss.exepid process 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe 2808 crss.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWMonitor = "C:\\Windows\\system32\\HWMonitor\\HWMonitor.exe" powershell.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 3 api.ipify.org -
Drops file in System32 directory 2 IoCs
Processes:
HWMonitor.execrss.exedescription ioc process File created C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe HWMonitor.exe File created C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe crss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.execrss.exesvchostservice.exedllhostservices.exepowershell.exeHWMonitor.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchostservice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhostservices.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HWMonitor.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
crss.exeHWMonitor.exepid process 2808 crss.exe 2496 HWMonitor.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exepowershell.exepid process 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe 540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exepowershell.exedescription pid process Token: SeDebugPrivilege 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe Token: SeDebugPrivilege 540 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
dllhostservices.exe06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exepid process 2872 dllhostservices.exe 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.execrss.exedescription pid process target process PID 2376 wrote to memory of 2872 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe dllhostservices.exe PID 2376 wrote to memory of 2872 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe dllhostservices.exe PID 2376 wrote to memory of 2872 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe dllhostservices.exe PID 2376 wrote to memory of 2872 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe dllhostservices.exe PID 2376 wrote to memory of 2808 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe crss.exe PID 2376 wrote to memory of 2808 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe crss.exe PID 2376 wrote to memory of 2808 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe crss.exe PID 2376 wrote to memory of 2808 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe crss.exe PID 2376 wrote to memory of 2928 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe svchostservice.exe PID 2376 wrote to memory of 2928 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe svchostservice.exe PID 2376 wrote to memory of 2928 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe svchostservice.exe PID 2376 wrote to memory of 2928 2376 06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe svchostservice.exe PID 2808 wrote to memory of 540 2808 crss.exe powershell.exe PID 2808 wrote to memory of 540 2808 crss.exe powershell.exe PID 2808 wrote to memory of 540 2808 crss.exe powershell.exe PID 2808 wrote to memory of 540 2808 crss.exe powershell.exe PID 2808 wrote to memory of 2496 2808 crss.exe HWMonitor.exe PID 2808 wrote to memory of 2496 2808 crss.exe HWMonitor.exe PID 2808 wrote to memory of 2496 2808 crss.exe HWMonitor.exe PID 2808 wrote to memory of 2496 2808 crss.exe HWMonitor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\agentesla\06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe"C:\Users\Admin\AppData\Local\Temp\agentesla\06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dllhostservices.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dllhostservices.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2872 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\crss.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\crss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Windows\system32\HWMonitor\HWMonitor.exe"' -PropertyType 'String'3⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540 -
C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe"C:\Windows\system32\HWMonitor\HWMonitor.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
PID:2496 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2928
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5caf9747a01a99245a0b3df133dd85191
SHA1c8429f9d5d1d9768e22019fcac5f0d4b59c006a6
SHA2566d0d83d060bc279825425757101698e702f3e71c53639270c63b24216fcbcd3f
SHA512efde236d9924598aa1b3b54b1711b9bbea194bd4a392781aa3c71dca55a0e0188bc8452468497538ee7444ee8803ab4c5865f821fd7aba60b811ed72ebd57ce7
-
Filesize
36KB
MD564836f3e257a5b415711abc3b6ea6323
SHA1f52f8588801554eaf4e495784b84f830c4afeaf4
SHA2563f02a631dce0c4a4acd39ca731eae0ebda74ea65bfe90573d2ab226bab1dc234
SHA512f3418f421ff0d0bfefd37e5ad75f9d2ffe40953333b90a01ab015942f36333fc4c0e03e468e725e6d8bb5573d9c058aeb889336fee77099db2ddfdfd1a7822f9
-
Filesize
37.2MB
MD54de02f7704af0b408375810ec01c7e43
SHA1a94b5287df2d34a7db983574c647d1247609b541
SHA256f31652f75764d59b0108f54074cb36e2d7328031bc154afeb0ce98c8a110557d
SHA5127549844d0cbdc027f4cdc9ee09cee453ddc97da3a90ff9690e2749a130abd62c048a37969a9899bfbd4b4aacea1961d5bffa8464c0220984176b131fa76b943c
-
Filesize
45KB
MD5962b8a0da7f38404ae75698d445d2f82
SHA1afefd1bc3f70d9a03621a22715ea1001a8d4427b
SHA256940d979a6e48061d85288ff57e6865087d7c0362774bd7d2caebfdc7b02914eb
SHA512e1092a2f4c3877eca9d6f67b4da78fecae66bc5fd49d190f796358c245b005a3c6fbd49496bfb4b1ea688c6719c0ca4f963f49b192c97dcb518d5cd4c42bbc68