agenttesla | 42bb4ea726a68142140dbe3953e6027f5176aeb359d06ca71652bfd61a3a4898

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26/11/2023, 18:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

OFFER REQUEST.exe
Size

369KB
MD5

53981e94bf9b125871ff3d555fcb6e18
SHA1

9d4ba161bf60e243951b436feb14c2c0d3284a73
SHA256

42bb4ea726a68142140dbe3953e6027f5176aeb359d06ca71652bfd61a3a4898
SHA512

b365626996d9d3c4dd2fede34e4fd6a2874f4c75f5f4671bc261bdfea36419dc473b790f6fa5c41d82c7beb0f5fad375f6ad14f059eaeaa2784f092d82cf39f9
SSDEEP

6144:bNDlOltlhJka8EOHDn7m8aviLBdRIdpoqgYT83+KAmfL3:but7JkzEOjn7mHviPlA8OxU3

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.crusatabogados.com
Port:
587
Username:
[email protected]
Password:
Ticote42?
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 9 IoCs

pid	Process
3448	OFFER REQUEST.exe
3448	OFFER REQUEST.exe
3448	OFFER REQUEST.exe
3448	OFFER REQUEST.exe
3448	OFFER REQUEST.exe
3448	OFFER REQUEST.exe
3448	OFFER REQUEST.exe
3448	OFFER REQUEST.exe
3448	OFFER REQUEST.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	api.ipify.org
26	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3040	msbuild.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3448	OFFER REQUEST.exe
3040	msbuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3448 set thread context of 3040	3448	OFFER REQUEST.exe	94

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\nuking\ureterectasis\Aabningstidspunkts\Nonmendicancy\Supplejack242\Auriculas34\Centerforwarders.lnk	OFFER REQUEST.exe
File opened for modification	C:\Program Files (x86)\Common Files\salmonellaen\supercentral\occidentals\scraggiest\produkter\trachinidae\varmeslanger\patiens.ini	OFFER REQUEST.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2820	3040	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3040	msbuild.exe
3040	msbuild.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3448	OFFER REQUEST.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	msbuild.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 3040	3448	OFFER REQUEST.exe	94
PID 3448 wrote to memory of 3040	3448	OFFER REQUEST.exe	94
PID 3448 wrote to memory of 3040	3448	OFFER REQUEST.exe	94
PID 3448 wrote to memory of 3040	3448	OFFER REQUEST.exe	94
PID 3448 wrote to memory of 3040	3448	OFFER REQUEST.exe	94

C:\Users\Admin\AppData\Local\Temp\OFFER REQUEST.exe
"C:\Users\Admin\AppData\Local\Temp\OFFER REQUEST.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Users\Admin\AppData\Local\Temp\OFFER REQUEST.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 2544
    3⤵
    - Program crash
    PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3040 -ip 3040
1⤵
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\BgImage.dll

Filesize
7KB

MD5
d4be14b49e319ba76c559e6c2c284a04

SHA1
ef39e0be34505530da6710d450c0d97922ef0e1d

SHA256
bc4f95b716d26bbf9a6434569a6d777755ba233666a9ce57cb393ca25b82212f

SHA512
1621f4538d8b75fb5c43b8a716a3d578c76fcfae716babdd1065b25693d86263dbdbb00d84dc16481b55697cfe3576ee49bd9fe10653560a2eba004c9c2bd69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl9626.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
memory/3040-40-0x0000000001300000-0x0000000002BDD000-memory.dmp

Filesize
24.9MB

Download
memory/3040-59-0x00000000723B0000-0x00000000723F2000-memory.dmp

Filesize
264KB

Download
memory/3040-67-0x0000000076F21000-0x0000000077041000-memory.dmp

Filesize
1.1MB

Download
memory/3040-66-0x0000000070CF0000-0x00000000714A0000-memory.dmp

Filesize
7.7MB

Download
memory/3040-64-0x0000000001300000-0x0000000002BDD000-memory.dmp

Filesize
24.9MB

Download
memory/3040-42-0x0000000076FA8000-0x0000000076FA9000-memory.dmp

Filesize
4KB

Download
memory/3040-43-0x0000000076FC5000-0x0000000076FC6000-memory.dmp

Filesize
4KB

Download
memory/3040-56-0x00000000723B0000-0x0000000073604000-memory.dmp

Filesize
18.3MB

Download
memory/3040-57-0x0000000001300000-0x0000000002BDD000-memory.dmp

Filesize
24.9MB

Download
memory/3040-63-0x00000000353F0000-0x0000000035400000-memory.dmp

Filesize
64KB

Download
memory/3040-60-0x0000000070CF0000-0x00000000714A0000-memory.dmp

Filesize
7.7MB

Download
memory/3040-61-0x00000000359B0000-0x0000000035F54000-memory.dmp

Filesize
5.6MB

Download
memory/3040-62-0x0000000035500000-0x0000000035566000-memory.dmp

Filesize
408KB

Download
memory/3448-38-0x0000000076F21000-0x0000000077041000-memory.dmp

Filesize
1.1MB

Download
memory/3448-41-0x0000000005970000-0x000000000724D000-memory.dmp

Filesize
24.9MB

Download
memory/3448-37-0x0000000005970000-0x000000000724D000-memory.dmp

Filesize
24.9MB

Download
memory/3448-39-0x0000000073610000-0x0000000073617000-memory.dmp

Filesize
28KB

Download