agenttesla | 49042e86af4503a917b8408c4faab2759688065a429015a2c90430fa7371291f

Analysis

max time kernel
289s
max time network
205s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03-07-2024 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dropped Malware/Jailkeeper.exe
Size

858KB
MD5

c7eefc30a9cdc5bab3269cefde2d221e
SHA1

27914bc81bdc74d9607784d9e239f5437b1e8cb1
SHA256

2a089fc9b24c5253a913526be0ac2ee62b911a96645cb70885d678c91dcb83c9
SHA512

fce33213726f84946162e2c115f67dc4dbfe60af9ca6b6ceb75d576f9370abc98ed0309acf617a2c6f34ffc023632ce1b32391716190980aceb4af84dce3798c
SSDEEP

24576:XcIjUna3iVPF+zgyKKht6APjMtiVBsRXRU:kbF50httQbi

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://mail.hearing-vision.com
Port:
21
Username:
[email protected]
Password:
LILKOOLL14!

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
3872	Jailkeeper.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3712	Jailkeeper.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3872	Jailkeeper.exe
3712	Jailkeeper.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3872 set thread context of 3712	3872	Jailkeeper.exe	76

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\reassigned\sandi.ini	Jailkeeper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3712	Jailkeeper.exe
3712	Jailkeeper.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3872	Jailkeeper.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3712	Jailkeeper.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 3712	3872	Jailkeeper.exe	76
PID 3872 wrote to memory of 3712	3872	Jailkeeper.exe	76
PID 3872 wrote to memory of 3712	3872	Jailkeeper.exe	76
PID 3872 wrote to memory of 3712	3872	Jailkeeper.exe	76
PID 3872 wrote to memory of 3712	3872	Jailkeeper.exe	76

C:\Users\Admin\AppData\Local\Temp\Dropped Malware\Jailkeeper.exe
"C:\Users\Admin\AppData\Local\Temp\Dropped Malware\Jailkeeper.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Users\Admin\AppData\Local\Temp\Dropped Malware\Jailkeeper.exe
  "C:\Users\Admin\AppData\Local\Temp\Dropped Malware\Jailkeeper.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa3B36.tmp\System.dll

Filesize
11KB

MD5
55a26d7800446f1373056064c64c3ce8

SHA1
80256857e9a0a9c8897923b717f3435295a76002

SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8

SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b

Download Submit
memory/3712-32-0x0000000035140000-0x00000000356E6000-memory.dmp

Filesize
5.6MB

Download
memory/3712-31-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/3712-39-0x00007FF86FD80000-0x00007FF86FF89000-memory.dmp

Filesize
2.0MB

Download
memory/3712-27-0x00007FF86FD80000-0x00007FF86FF89000-memory.dmp

Filesize
2.0MB

Download
memory/3712-28-0x00000000004A0000-0x00000000017B7000-memory.dmp

Filesize
19.1MB

Download
memory/3712-29-0x00007FF86FD80000-0x00007FF86FF89000-memory.dmp

Filesize
2.0MB

Download
memory/3712-36-0x0000000035EC0000-0x0000000035ECA000-memory.dmp

Filesize
40KB

Download
memory/3712-35-0x0000000035DF0000-0x0000000035E82000-memory.dmp

Filesize
584KB

Download
memory/3712-34-0x0000000035DA0000-0x0000000035DF0000-memory.dmp

Filesize
320KB

Download
memory/3712-33-0x0000000032CF0000-0x0000000032D56000-memory.dmp

Filesize
408KB

Download
memory/3872-24-0x0000000004B60000-0x00000000059AA000-memory.dmp

Filesize
14.3MB

Download
memory/3872-25-0x00007FF86FD81000-0x00007FF86FEAA000-memory.dmp

Filesize
1.2MB

Download
memory/3872-30-0x0000000004B60000-0x00000000059AA000-memory.dmp

Filesize
14.3MB

Download
memory/3872-26-0x00007FF86FD80000-0x00007FF86FF89000-memory.dmp

Filesize
2.0MB

Download