agenttesla | 189452b759890e44953e0395335846a248857c4afd009ca9988861b310234faf

General

Target

SineticBootstrapper.exe
Size

11KB
MD5

72d03bb8976d6a9dae0608e17578bd0f
SHA1

9afe333cb2a3348065b727c32621cb021b7a5376
SHA256

189452b759890e44953e0395335846a248857c4afd009ca9988861b310234faf
SHA512

bf2c74a87d3e5c81adffa5a240e7d654c758576241f19f5d849c1e6764516c854a246a0a4691e90309486a3ff90a88f0c756c46ac6f9f25e9093481d690b0000
SSDEEP

96:OD7Wf/WR2crOXOrBw0HhNlCxc6sRZ+I/8qynQ3SkgoCFjkHIVMVi3LtS39EzNt:c7W3peCkhkc6sjXbynQ3lvViotu

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Sinetic-Executor-main\Sinetic-Executor-main\Sineitc [VERSION 1.4]\Guna.UI2.dll	family_agenttesla
behavioral2/memory/1920-216-0x0000000005630000-0x0000000005842000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SineticBootstrapper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	SineticBootstrapper.exe

Executes dropped EXE 1 IoCs

Processes:

Sinetic.exe

pid process

1920 Sinetic.exe
Loads dropped DLL 6 IoCs

Processes:

Sinetic.exe

pid process

1920 Sinetic.exe
1920 Sinetic.exe
1920 Sinetic.exe
1920 Sinetic.exe
1920 Sinetic.exe
1920 Sinetic.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

22 raw.githubusercontent.com
42 raw.githubusercontent.com
21 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1920	Sinetic.exe

pid	process
1920	Sinetic.exe
1920	Sinetic.exe
1920	Sinetic.exe
1920	Sinetic.exe
1920	Sinetic.exe
1920	Sinetic.exe

flow	ioc
22	raw.githubusercontent.com
42	raw.githubusercontent.com
21	raw.githubusercontent.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

SineticBootstrapper.exeSinetic.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SineticBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sinetic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Sinetic.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Sinetic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Sinetic.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Sinetic.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SineticBootstrapper.exeSinetic.exe

description pid process

Token: SeDebugPrivilege 764 SineticBootstrapper.exe
Token: SeDebugPrivilege 1920 Sinetic.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Sinetic.exe

pid process

1920 Sinetic.exe
1920 Sinetic.exe

description	pid	process
Token: SeDebugPrivilege	764	SineticBootstrapper.exe
Token: SeDebugPrivilege	1920	Sinetic.exe

pid	process
1920	Sinetic.exe
1920	Sinetic.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

SineticBootstrapper.exe

description	pid	process	target process
PID 764 wrote to memory of 1920	764	SineticBootstrapper.exe	Sinetic.exe
PID 764 wrote to memory of 1920	764	SineticBootstrapper.exe	Sinetic.exe
PID 764 wrote to memory of 1920	764	SineticBootstrapper.exe	Sinetic.exe

C:\Users\Admin\AppData\Local\Temp\SineticBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SineticBootstrapper.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764

C:\Users\Admin\AppData\Local\Temp\Sinetic-Executor-main\Sinetic-Executor-main\Sineitc [VERSION 1.4]\Sinetic.exe
"C:\Users\Admin\AppData\Local\Temp\Sinetic-Executor-main\Sinetic-Executor-main\Sineitc [VERSION 1.4]\Sinetic.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Sinetic-Executor-main\Sinetic-Executor-main\Sineitc [VERSION 1.4]\Guna.UI2.dll

Filesize
2.1MB

MD5
c97f23b52087cfa97985f784ea83498f

SHA1
d364618bec9cd6f8f5d4c24d3cc0f4c1a8e06b89

SHA256
e658e8a5616245dbe655e194b59f1bb704aaeafbd0925d6eebbe70555a638cdd

SHA512
ecfa83596f99afde9758d1142ff8b510a090cba6f42ba6fda8ca5e0520b658943ad85829a07bf17411e26e58432b74f05356f7eaeb3949a8834faa5de1a4f512

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sinetic-Executor-main\Sinetic-Executor-main\Sineitc [VERSION 1.4]\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sinetic-Executor-main\Sinetic-Executor-main\Sineitc [VERSION 1.4]\Sinetic.exe

Filesize
1.2MB

MD5
144e307c7cc08f428993dec86521e947

SHA1
828931ce162d5e83aed327bcfd99caa1d7642e2f

SHA256
714b5ba9f21e445edbc62fdd504979727f138cc3ee40ccdf486d9342f26b36a0

SHA512
0b4de898859884fd2b2fbdaeacd4cef541329952447fd9c6f8c7225442720a2ada6345f7ccec53d3e4dacff65104533ecd771db599dc77ad9a028094f83f8d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sinetic-Executor-main\Sinetic-Executor-main\Sineitc [VERSION 1.4]\Siticone.Desktop.UI.dll

Filesize
4.0MB

MD5
1582aa45d981e0e569c6e05698642b30

SHA1
763506f312a186c55a04ef6a16ad7e867c394097

SHA256
21eecaf504b7fe787a45f4aa8f8f36dacfc3ab1d75624dfb41827cdef2a9a589

SHA512
278a7a4e2b9d82528200b9f92244db3f228187d15c36fd169deb927e343bc4d0bb29c9dba496f86558aea4f4deb44d1e47a41d5598c0b375d99ad9fbe99cec34

Download Submit
memory/764-1-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/764-2-0x00000000028A0000-0x00000000028AA000-memory.dmp

Filesize
40KB

Download
memory/764-3-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/764-5-0x00000000059D0000-0x00000000059E2000-memory.dmp

Filesize
72KB

Download
memory/764-210-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/764-0-0x000000007473E000-0x000000007473F000-memory.dmp

Filesize
4KB

Download
memory/1920-216-0x0000000005630000-0x0000000005842000-memory.dmp

Filesize
2.1MB

Download
memory/1920-223-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/1920-211-0x0000000005080000-0x0000000005624000-memory.dmp

Filesize
5.6MB

Download
memory/1920-217-0x0000000005040000-0x000000000504A000-memory.dmp

Filesize
40KB

Download
memory/1920-209-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/1920-221-0x0000000005D50000-0x0000000006156000-memory.dmp

Filesize
4.0MB

Download
memory/1920-222-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/1920-212-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/1920-224-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/1920-208-0x00000000001C0000-0x00000000002EE000-memory.dmp

Filesize
1.2MB

Download
memory/1920-228-0x00000000085C0000-0x0000000008672000-memory.dmp

Filesize
712KB

Download
memory/1920-229-0x0000000008C40000-0x0000000008C62000-memory.dmp

Filesize
136KB

Download
memory/1920-230-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/1920-231-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads