agenttesla | 45e4a0928b9a955dd791cee03ff5157f2eb31d465ba24deb1d40f102f54a3e4a

General

Target

vbc.exe
Size

193KB
MD5

b2b0d367777c10ea84ddd200e494fafb
SHA1

1c263867f142e10910d6c25274ba2b45115becee
SHA256

45e4a0928b9a955dd791cee03ff5157f2eb31d465ba24deb1d40f102f54a3e4a
SHA512

e4cabfefa77a9ff1686fd717c8b045d24e6167ea421e3e2a4ec5977491592711e9defc9d5ca4925f32c8449bd9428eb6684957a7eee28227e4d3431674b81ad1

Score

10^/10

agenttesla guloader lokibot collection downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5013020608:AAFu_btAZRcQ9V-SvEIxL9rCbb_x1A-9IJo/sendDocument

Extracted

Family

lokibot

C2

http://tootoo.ga/webxpo/gate.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/792-72-0x0000000000400000-0x000000000069B000-memory.dmp	family_agenttesla
behavioral1/memory/792-73-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Sknnestes9.exe

pid process

1972 Sknnestes9.exe

pid	process
1972	Sknnestes9.exe

Checks QEMU agent file 2 TTPs 4 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vbc.execaspol.exeSknnestes9.exeSknnestes9.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	vbc.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Sknnestes9.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	Sknnestes9.exe

Loads dropped DLL 3 IoCs

Processes:

caspol.exeSknnestes9.exe

pid process

792 caspol.exe
792 caspol.exe
676 Sknnestes9.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
792	caspol.exe
792	caspol.exe
676	Sknnestes9.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

caspol.exeSknnestes9.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Sknnestes9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	Sknnestes9.exe
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	Sknnestes9.exe

Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs

Processes:

caspol.exeSknnestes9.exe

pid process

792 caspol.exe
676 Sknnestes9.exe
676 Sknnestes9.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

vbc.execaspol.exeSknnestes9.exeSknnestes9.exe

pid process

832 vbc.exe
792 caspol.exe
1972 Sknnestes9.exe
676 Sknnestes9.exe

pid	process
792	caspol.exe
676	Sknnestes9.exe
676	Sknnestes9.exe

pid	process
832	vbc.exe
792	caspol.exe
1972	Sknnestes9.exe
676	Sknnestes9.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

vbc.exeSknnestes9.exe

description	pid	process	target process
PID 832 set thread context of 792	832	vbc.exe	caspol.exe
PID 1972 set thread context of 676	1972	Sknnestes9.exe	Sknnestes9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

caspol.exe

pid process

792 caspol.exe
792 caspol.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

vbc.exeSknnestes9.exe

pid process

832 vbc.exe
1972 Sknnestes9.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

caspol.exeSknnestes9.exe

description pid process

Token: SeDebugPrivilege 792 caspol.exe
Token: SeDebugPrivilege 676 Sknnestes9.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

vbc.exeSknnestes9.exe

pid process

832 vbc.exe
1972 Sknnestes9.exe

pid	process
792	caspol.exe
792	caspol.exe

pid	process
832	vbc.exe
1972	Sknnestes9.exe

description	pid	process
Token: SeDebugPrivilege	792	caspol.exe
Token: SeDebugPrivilege	676	Sknnestes9.exe

pid	process
832	vbc.exe
1972	Sknnestes9.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

vbc.execaspol.exeSknnestes9.exe

description	pid	process	target process
PID 832 wrote to memory of 792	832	vbc.exe	caspol.exe
PID 832 wrote to memory of 792	832	vbc.exe	caspol.exe
PID 832 wrote to memory of 792	832	vbc.exe	caspol.exe
PID 832 wrote to memory of 792	832	vbc.exe	caspol.exe
PID 832 wrote to memory of 792	832	vbc.exe	caspol.exe
PID 792 wrote to memory of 1972	792	caspol.exe	Sknnestes9.exe
PID 792 wrote to memory of 1972	792	caspol.exe	Sknnestes9.exe
PID 792 wrote to memory of 1972	792	caspol.exe	Sknnestes9.exe
PID 792 wrote to memory of 1972	792	caspol.exe	Sknnestes9.exe
PID 1972 wrote to memory of 676	1972	Sknnestes9.exe	Sknnestes9.exe
PID 1972 wrote to memory of 676	1972	Sknnestes9.exe	Sknnestes9.exe
PID 1972 wrote to memory of 676	1972	Sknnestes9.exe	Sknnestes9.exe
PID 1972 wrote to memory of 676	1972	Sknnestes9.exe	Sknnestes9.exe
PID 1972 wrote to memory of 676	1972	Sknnestes9.exe	Sknnestes9.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:792

C:\Users\Admin\AppData\Roaming\Sknnestes9.exe
"C:\Users\Admin\AppData\Roaming\Sknnestes9.exe"
3⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Roaming\Sknnestes9.exe
"C:\Users\Admin\AppData\Roaming\Sknnestes9.exe"
4⤵
- Checks QEMU agent file
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oWd6XQZBhARVHwO1QZW240
MD5
f97264a5d29376aadd091cb8880bf4e4

SHA1
1641d112c7f0f31ccff1b9ccab6222d245642e27

SHA256
5bd919690a6400c82da06969c65988a748945cbf3fd6f4ed803884ba516e4bd2

SHA512
6badc1c7bd2b5dad04ff809f0ea6e3a590a777fcaef4750e873bdaea24afd9ce4cc5e1190811632c12f9d6a5cfd67e0b449060fd1811bd55e8863f3a5620b0e2

Download Submit
C:\Users\Admin\AppData\Roaming\Sknnestes9.exe
MD5
7e8effc999bf0c37467eb143ab1a693b

SHA1
3c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9

SHA256
a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb

SHA512
2f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7

Download Submit
C:\Users\Admin\AppData\Roaming\Sknnestes9.exe
MD5
7e8effc999bf0c37467eb143ab1a693b

SHA1
3c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9

SHA256
a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb

SHA512
2f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7

Download Submit
C:\Users\Admin\AppData\Roaming\Sknnestes9.exe
MD5
7e8effc999bf0c37467eb143ab1a693b

SHA1
3c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9

SHA256
a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb

SHA512
2f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7

Download Submit
\Users\Admin\AppData\Roaming\Sknnestes9.exe
MD5
7e8effc999bf0c37467eb143ab1a693b

SHA1
3c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9

SHA256
a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb

SHA512
2f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7

Download Submit
\Users\Admin\AppData\Roaming\Sknnestes9.exe
MD5
7e8effc999bf0c37467eb143ab1a693b

SHA1
3c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9

SHA256
a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb

SHA512
2f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7

Download Submit
memory/676-90-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/676-85-0x00000000001B0000-0x0000000000380000-memory.dmp

Filesize
1.8MB

Download
memory/676-84-0x0000000000400000-0x0000000001462000-memory.dmp

Filesize
16.4MB

Download
memory/676-89-0x00000000777F0000-0x0000000077970000-memory.dmp

Filesize
1.5MB

Download
memory/676-88-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download
memory/792-65-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download
memory/792-75-0x000000001FEB0000-0x000000001FEB1000-memory.dmp

Filesize
4KB

Download
memory/792-91-0x000000001FEB1000-0x000000001FEB2000-memory.dmp

Filesize
4KB

Download
memory/792-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/792-72-0x0000000000400000-0x000000000069B000-memory.dmp

Filesize
2.6MB

Download
memory/792-62-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/832-56-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/832-60-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/832-59-0x00000000777F0000-0x0000000077970000-memory.dmp

Filesize
1.5MB

Download
memory/832-58-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download
memory/1972-74-0x0000000000250000-0x0000000000277000-memory.dmp

Filesize
156KB

Download
memory/1972-83-0x00000000777F0000-0x0000000077970000-memory.dmp

Filesize
1.5MB

Download
memory/1972-79-0x00000000777F0000-0x0000000077970000-memory.dmp

Filesize
1.5MB

Download
memory/1972-77-0x0000000077610000-0x00000000777B9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads