agenttesla | 698dee67ffc5a82e25e75e3adb337b0d4869d2c2f5ff1362c4b8ef881ac84f54

General

Target

SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe
Size

134KB
MD5

fa642af59bc3f678e8c64942de1ea1b5
SHA1

cb5a9a2b97969938efffe74a2961936853239a04
SHA256

698dee67ffc5a82e25e75e3adb337b0d4869d2c2f5ff1362c4b8ef881ac84f54
SHA512

c03a62db947abe6f2994df3c54b6e6322dd07a9e4c843b8821495579f51deec5ad038fae580d2733da0350e691111f6ad07f875a91c85216566a126c4ef715e1
SSDEEP

3072:tNRCywDw1DiJkupabH2rCcSla0qN/vwfFfdLQ861CxBbFhnQ7Cx:tT4DtyWrCjlSSB61CxQ

Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.overviewsupplies.com/
Port:
21
Username:
[email protected]
Password:
w[3c2r?B,Of+

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Loads dropped DLL 1 IoCs

pid	Process
1836	SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1136	caspol.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1836	SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe
1136	caspol.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1836 set thread context of 1136	1836	SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe	27

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Aestus.ini	SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1836	SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 1136	1836	SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe	27
PID 1836 wrote to memory of 1136	1836	SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe	27
PID 1836 wrote to memory of 1136	1836	SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe	27
PID 1836 wrote to memory of 1136	1836	SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe	27
PID 1836 wrote to memory of 1136	1836	SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe	27
PID 1136 wrote to memory of 2000	1136	caspol.exe	31
PID 1136 wrote to memory of 2000	1136	caspol.exe	31
PID 1136 wrote to memory of 2000	1136	caspol.exe	31
PID 1136 wrote to memory of 2000	1136	caspol.exe	31

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe"
  2⤵
  - Checks QEMU agent file
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1588
    3⤵
    PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstFDB2.tmp\System.dll

Filesize
12KB

MD5
a1da6788aeaf78ca4ae1dece8019e49d

SHA1
d770155e6e9aa69223be198c44a8da26a1756d89

SHA256
b7823a15e7b1866ba3d77248f750b66505859d264cfc39d8c8c5e812f8ae4a81

SHA512
eada9c1528563ddfe3d4d8ed5dbc52b85a9190765535b68da90e6d623288bf0090adac5118e1ed6e3cb3e0abb9af025d3a2a73121413a4471a90fd04bc861e18

Download Submit
memory/1136-70-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1136-79-0x0000000072CC0000-0x000000007326B000-memory.dmp

Filesize
5.7MB

Download
memory/1136-78-0x0000000077000000-0x0000000077180000-memory.dmp

Filesize
1.5MB

Download
memory/1136-76-0x0000000072CC0000-0x000000007326B000-memory.dmp

Filesize
5.7MB

Download
memory/1136-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1136-63-0x0000000000210000-0x0000000000310000-memory.dmp

Filesize
1024KB

Download
memory/1136-64-0x0000000076E20000-0x0000000076FC9000-memory.dmp

Filesize
1.7MB

Download
memory/1136-67-0x0000000077000000-0x0000000077180000-memory.dmp

Filesize
1.5MB

Download
memory/1136-71-0x0000000000401000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/1136-69-0x0000000000210000-0x0000000000310000-memory.dmp

Filesize
1024KB

Download
memory/1836-68-0x0000000077000000-0x0000000077180000-memory.dmp

Filesize
1.5MB

Download
memory/1836-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1836-62-0x0000000077000000-0x0000000077180000-memory.dmp

Filesize
1.5MB

Download
memory/1836-61-0x0000000077000000-0x0000000077180000-memory.dmp

Filesize
1.5MB

Download
memory/1836-77-0x0000000077000000-0x0000000077180000-memory.dmp

Filesize
1.5MB

Download
memory/1836-60-0x0000000076E20000-0x0000000076FC9000-memory.dmp

Filesize
1.7MB

Download
memory/1836-56-0x00000000025C0000-0x000000000320A000-memory.dmp

Filesize
12.3MB

Download

Analysis

Sharing