agenttesla | d7553925a2f9d9840cd23da20f66fcbfb3e7eca2f24c624e2f6139181eefc138

General

Target

ORDEN DE COMPRA 80107.pdf________________________.exe
Size

229KB
MD5

af7c27fd6e49538aa93a667d67463c51
SHA1

e2da9a0143a07da2b2c498f4622ea5db21d9298f
SHA256

d7553925a2f9d9840cd23da20f66fcbfb3e7eca2f24c624e2f6139181eefc138
SHA512

6fdf0a2efc97e8c69c8aa97d4a2f47826c7bc201a8db4323f41ac097925c0c5e919ec7df5e72579d61dab3e7e38f8e8a324ca8a336b55e2ce756838a9bd08122

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bhgautopartes.com
Port:
587
Username:
kubaba@bhgautopartes.com
Password:
icui4cu2@@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3740-124-0x0000000000400000-0x00000000006A3000-memory.dmp	family_agenttesla
behavioral2/memory/3740-125-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ORDEN DE COMPRA 80107.pdf________________________.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ORDEN DE COMPRA 80107.pdf________________________.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

3740 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

ORDEN DE COMPRA 80107.pdf________________________.execaspol.exe

pid process

2472 ORDEN DE COMPRA 80107.pdf________________________.exe
3740 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ORDEN DE COMPRA 80107.pdf________________________.exe

description pid process target process

PID 2472 set thread context of 3740 2472 ORDEN DE COMPRA 80107.pdf________________________.exe caspol.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

caspol.exe

pid process

3740 caspol.exe
3740 caspol.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ORDEN DE COMPRA 80107.pdf________________________.exe

pid process

2472 ORDEN DE COMPRA 80107.pdf________________________.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

caspol.exe

description pid process

Token: SeDebugPrivilege 3740 caspol.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ORDEN DE COMPRA 80107.pdf________________________.exe

pid process

2472 ORDEN DE COMPRA 80107.pdf________________________.exe

pid	process
3740	caspol.exe

pid	process
2472	ORDEN DE COMPRA 80107.pdf________________________.exe
3740	caspol.exe

description	pid	process	target process
PID 2472 set thread context of 3740	2472	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe

pid	process
3740	caspol.exe
3740	caspol.exe

pid	process
2472	ORDEN DE COMPRA 80107.pdf________________________.exe

description	pid	process
Token: SeDebugPrivilege	3740	caspol.exe

pid	process
2472	ORDEN DE COMPRA 80107.pdf________________________.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ORDEN DE COMPRA 80107.pdf________________________.exe

description	pid	process	target process
PID 2472 wrote to memory of 3740	2472	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe
PID 2472 wrote to memory of 3740	2472	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe
PID 2472 wrote to memory of 3740	2472	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe
PID 2472 wrote to memory of 3740	2472	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe

outlook_office_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

outlook_win_path 1 IoCs

Processes:

caspol.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	caspol.exe

C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA 80107.pdf________________________.exe
"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA 80107.pdf________________________.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA 80107.pdf________________________.exe"
2⤵
- Checks QEMU agent file
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2472-117-0x00000000022C0000-0x00000000022D4000-memory.dmp

Filesize
80KB

Download
memory/2472-118-0x00007FFFEE4D0000-0x00007FFFEE6AB000-memory.dmp

Filesize
1.9MB

Download
memory/2472-119-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/2472-120-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3740-121-0x0000000000B00000-0x0000000000DD0000-memory.dmp

Filesize
2.8MB

Download
memory/3740-122-0x00007FFFEE4D0000-0x00007FFFEE6AB000-memory.dmp

Filesize
1.9MB

Download
memory/3740-123-0x0000000077B80000-0x0000000077D0E000-memory.dmp

Filesize
1.6MB

Download
memory/3740-124-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/3740-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3740-126-0x00000000202A0000-0x000000002079E000-memory.dmp

Filesize
5.0MB

Download
memory/3740-139-0x000000001FFE0000-0x000000002007C000-memory.dmp

Filesize
624KB

Download
memory/3740-140-0x000000001FDA0000-0x000000002029E000-memory.dmp

Filesize
5.0MB

Download
memory/3740-178-0x0000000000760000-0x0000000000778000-memory.dmp

Filesize
96KB

Download
memory/3740-181-0x0000000020080000-0x00000000200E6000-memory.dmp

Filesize
408KB

Download
memory/3740-203-0x0000000020940000-0x00000000209D2000-memory.dmp

Filesize
584KB

Download
memory/3740-206-0x000000001FF80000-0x000000001FF8A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads