agenttesla | 7e7e4ddcd61df737e689389da1b59df402521f3310ad402c0696b97cf6ce3a20

General

Target

SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe
Size

105KB
MD5

ac4b11253fd63a6f272bf10dabdbfb01
SHA1

1892479a8d6b58642f57514b6bbd29ab4f7e5e62
SHA256

7e7e4ddcd61df737e689389da1b59df402521f3310ad402c0696b97cf6ce3a20
SHA512

34b90fb700e609065b1e0ecf8eaa3fa5f33ed470e8dd58b03874de808bbae304e52ac5c0f81c93e9ec798dcf6009cc76433899743fef8ea4db1fdb0fb9f60511
SSDEEP

3072:Us+LplNxNXz3lxRXJWfH1lzsf+BaMPEGNXA8rD:UsKxNX1AP14xA7NXjv

Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.overviewsupplies.com/
Port:
21
Username:
[email protected]
Password:
w[3c2r?B,Of+

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Loads dropped DLL 1 IoCs

pid	Process
1848	SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1436	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1848	SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe
1436	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1848 set thread context of 1436	1848	SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1848	SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 1436	1848	SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe	28
PID 1848 wrote to memory of 1436	1848	SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe	28
PID 1848 wrote to memory of 1436	1848	SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe	28
PID 1848 wrote to memory of 1436	1848	SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe	28
PID 1848 wrote to memory of 1436	1848	SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe	28
PID 1436 wrote to memory of 1780	1436	caspol.exe	32
PID 1436 wrote to memory of 1780	1436	caspol.exe	32
PID 1436 wrote to memory of 1780	1436	caspol.exe	32
PID 1436 wrote to memory of 1780	1436	caspol.exe	32

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1584
    3⤵
    PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstE68A.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
memory/1436-65-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download
memory/1436-68-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1436-77-0x00000000732C0000-0x000000007386B000-memory.dmp

Filesize
5.7MB

Download
memory/1436-75-0x00000000732C0000-0x000000007386B000-memory.dmp

Filesize
5.7MB

Download
memory/1436-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1436-63-0x0000000000080000-0x0000000000180000-memory.dmp

Filesize
1024KB

Download
memory/1436-72-0x0000000000080000-0x0000000000180000-memory.dmp

Filesize
1024KB

Download
memory/1436-67-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1848-56-0x0000000002730000-0x000000000337A000-memory.dmp

Filesize
12.3MB

Download
memory/1848-71-0x0000000077460000-0x00000000775E0000-memory.dmp

Filesize
1.5MB

Download
memory/1848-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1848-62-0x0000000077460000-0x00000000775E0000-memory.dmp

Filesize
1.5MB

Download
memory/1848-61-0x0000000077460000-0x00000000775E0000-memory.dmp

Filesize
1.5MB

Download
memory/1848-76-0x0000000077460000-0x00000000775E0000-memory.dmp

Filesize
1.5MB

Download
memory/1848-57-0x0000000077280000-0x0000000077429000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing