agenttesla | d7553925a2f9d9840cd23da20f66fcbfb3e7eca2f24c624e2f6139181eefc138

General

Target

ORDEN DE COMPRA 80107.pdf________________________.exe
Size

229KB
MD5

af7c27fd6e49538aa93a667d67463c51
SHA1

e2da9a0143a07da2b2c498f4622ea5db21d9298f
SHA256

d7553925a2f9d9840cd23da20f66fcbfb3e7eca2f24c624e2f6139181eefc138
SHA512

6fdf0a2efc97e8c69c8aa97d4a2f47826c7bc201a8db4323f41ac097925c0c5e919ec7df5e72579d61dab3e7e38f8e8a324ca8a336b55e2ce756838a9bd08122

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bhgautopartes.com
Port:
587
Username:
kubaba@bhgautopartes.com
Password:
icui4cu2@@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3500-125-0x0000000000400000-0x00000000006A3000-memory.dmp	family_agenttesla
behavioral2/memory/3500-126-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ORDEN DE COMPRA 80107.pdf________________________.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ORDEN DE COMPRA 80107.pdf________________________.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

caspol.exe

pid process

3500 caspol.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

ORDEN DE COMPRA 80107.pdf________________________.execaspol.exe

pid process

3140 ORDEN DE COMPRA 80107.pdf________________________.exe
3500 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ORDEN DE COMPRA 80107.pdf________________________.exe

description pid process target process

PID 3140 set thread context of 3500 3140 ORDEN DE COMPRA 80107.pdf________________________.exe caspol.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

caspol.exe

pid process

3500 caspol.exe
3500 caspol.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ORDEN DE COMPRA 80107.pdf________________________.exe

pid process

3140 ORDEN DE COMPRA 80107.pdf________________________.exe
3140 ORDEN DE COMPRA 80107.pdf________________________.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

caspol.exe

description pid process

Token: SeDebugPrivilege 3500 caspol.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ORDEN DE COMPRA 80107.pdf________________________.exe

pid process

3140 ORDEN DE COMPRA 80107.pdf________________________.exe

pid	process
3500	caspol.exe

pid	process
3140	ORDEN DE COMPRA 80107.pdf________________________.exe
3500	caspol.exe

description	pid	process	target process
PID 3140 set thread context of 3500	3140	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe

pid	process
3500	caspol.exe
3500	caspol.exe

pid	process
3140	ORDEN DE COMPRA 80107.pdf________________________.exe
3140	ORDEN DE COMPRA 80107.pdf________________________.exe

description	pid	process
Token: SeDebugPrivilege	3500	caspol.exe

pid	process
3140	ORDEN DE COMPRA 80107.pdf________________________.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ORDEN DE COMPRA 80107.pdf________________________.exe

description	pid	process	target process
PID 3140 wrote to memory of 3020	3140	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe
PID 3140 wrote to memory of 3020	3140	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe
PID 3140 wrote to memory of 3020	3140	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe
PID 3140 wrote to memory of 3500	3140	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe
PID 3140 wrote to memory of 3500	3140	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe
PID 3140 wrote to memory of 3500	3140	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe
PID 3140 wrote to memory of 3500	3140	ORDEN DE COMPRA 80107.pdf________________________.exe	caspol.exe

C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA 80107.pdf________________________.exe
"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA 80107.pdf________________________.exe"
1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA 80107.pdf________________________.exe"
2⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRA 80107.pdf________________________.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3140-117-0x0000000002460000-0x0000000002474000-memory.dmp

Filesize
80KB

Download
memory/3140-118-0x00007FFA3B2A0000-0x00007FFA3B47B000-memory.dmp

Filesize
1.9MB

Download
memory/3140-119-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3140-120-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3140-121-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-122-0x0000000000F00000-0x0000000001100000-memory.dmp

Filesize
2.0MB

Download
memory/3500-123-0x00007FFA3B2A0000-0x00007FFA3B47B000-memory.dmp

Filesize
1.9MB

Download
memory/3500-124-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/3500-125-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/3500-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3500-127-0x0000000020900000-0x0000000020DFE000-memory.dmp

Filesize
5.0MB

Download
memory/3500-140-0x00000000205F0000-0x000000002068C000-memory.dmp

Filesize
624KB

Download
memory/3500-141-0x0000000020400000-0x00000000208FE000-memory.dmp

Filesize
5.0MB

Download
memory/3500-179-0x0000000000B50000-0x0000000000B68000-memory.dmp

Filesize
96KB

Download
memory/3500-182-0x0000000000E70000-0x0000000000ED6000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads