agenttesla | c82046986624ca53191cffe0aa3316bbbacd49551e31eb2df0f66b7ee29a70fd

General

Target

F0987654678000.exe
Size

585KB
MD5

e4abeca3f1e138479cda142530fbc810
SHA1

5b010c25a6b4702d6d0ea9c48d2a3339de5d5182
SHA256

b50fc7113a6c52967913e5bada3755364af76c2188ed621af5f23c3669648425
SHA512

93b8dea3bc03d88c1ac6e6b0e171f3db2153f73c139dc513b6ee16c74f4499461e92cf06bf2421fef2463f0441f8db655c1c4ae38c2c1705fe805035e31a5ab3
SSDEEP

12288:yYV6MorX7qzuC3QHO9FQVHPF51jgcdF++2Jw4THc7E6mVIE:BBXu9HGaVHWxJwGHcg6mv

Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.antoniomayol.com:21
Port:
21
Username:
[email protected]
Password:
cMhKDQUk1{;%

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs	Grinnellia.exe

Executes dropped EXE 1 IoCs

pid	Process
2520	Grinnellia.exe

Loads dropped DLL 1 IoCs

pid	Process
1504	F0987654678000.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1504-0-0x0000000000C00000-0x0000000000D51000-memory.dmp	upx
behavioral1/files/0x00060000000194cd-14.dat	upx
behavioral1/memory/1504-20-0x0000000000C00000-0x0000000000D51000-memory.dmp	upx
behavioral1/memory/1504-17-0x0000000002AA0000-0x0000000002BF1000-memory.dmp	upx
behavioral1/memory/2520-21-0x00000000002F0000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2520-43-0x00000000002F0000-0x0000000000441000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1504-20-0x0000000000C00000-0x0000000000D51000-memory.dmp	autoit_exe
behavioral1/memory/2520-21-0x00000000002F0000-0x0000000000441000-memory.dmp	autoit_exe
behavioral1/memory/2520-43-0x00000000002F0000-0x0000000000441000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2520 set thread context of 2824	2520	Grinnellia.exe	32

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F0987654678000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Grinnellia.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2824	RegSvcs.exe
2824	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2520	Grinnellia.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1504	F0987654678000.exe
1504	F0987654678000.exe
2520	Grinnellia.exe
2520	Grinnellia.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1504	F0987654678000.exe
1504	F0987654678000.exe
2520	Grinnellia.exe
2520	Grinnellia.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2520	1504	F0987654678000.exe	31
PID 1504 wrote to memory of 2520	1504	F0987654678000.exe	31
PID 1504 wrote to memory of 2520	1504	F0987654678000.exe	31
PID 1504 wrote to memory of 2520	1504	F0987654678000.exe	31
PID 2520 wrote to memory of 2824	2520	Grinnellia.exe	32
PID 2520 wrote to memory of 2824	2520	Grinnellia.exe	32
PID 2520 wrote to memory of 2824	2520	Grinnellia.exe	32
PID 2520 wrote to memory of 2824	2520	Grinnellia.exe	32
PID 2520 wrote to memory of 2824	2520	Grinnellia.exe	32
PID 2520 wrote to memory of 2824	2520	Grinnellia.exe	32
PID 2520 wrote to memory of 2824	2520	Grinnellia.exe	32
PID 2520 wrote to memory of 2824	2520	Grinnellia.exe	32

C:\Users\Admin\AppData\Local\Temp\F0987654678000.exe
"C:\Users\Admin\AppData\Local\Temp\F0987654678000.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\juvenile\Grinnellia.exe
  "C:\Users\Admin\AppData\Local\Temp\F0987654678000.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\F0987654678000.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nonhazardousness

Filesize
203KB

MD5
0f0e24395c2e1a1042f0ae0cb9808b30

SHA1
64eb183637e19f0e81d58fe3f563a33b1db761bc

SHA256
ec2be3d8ca3919ff410f92468a94f348783853cc75cc2c078ba75748f1ae0ff1

SHA512
a044c8c063588dd7c7652f6a7b7b547818770002894da658c969a225c509d29d8d321d43dd8a9dcb19624fac12a77cc3d5271c0cb409ba668768f06984d20128

Download Submit
\Users\Admin\AppData\Local\juvenile\Grinnellia.exe

Filesize
585KB

MD5
e4abeca3f1e138479cda142530fbc810

SHA1
5b010c25a6b4702d6d0ea9c48d2a3339de5d5182

SHA256
b50fc7113a6c52967913e5bada3755364af76c2188ed621af5f23c3669648425

SHA512
93b8dea3bc03d88c1ac6e6b0e171f3db2153f73c139dc513b6ee16c74f4499461e92cf06bf2421fef2463f0441f8db655c1c4ae38c2c1705fe805035e31a5ab3

Download Submit
memory/1504-12-0x0000000000B90000-0x0000000000B94000-memory.dmp

Filesize
16KB

Download
memory/1504-20-0x0000000000C00000-0x0000000000D51000-memory.dmp

Filesize
1.3MB

Download
memory/1504-17-0x0000000002AA0000-0x0000000002BF1000-memory.dmp

Filesize
1.3MB

Download
memory/1504-0-0x0000000000C00000-0x0000000000D51000-memory.dmp

Filesize
1.3MB

Download
memory/2520-43-0x00000000002F0000-0x0000000000441000-memory.dmp

Filesize
1.3MB

Download
memory/2520-21-0x00000000002F0000-0x0000000000441000-memory.dmp

Filesize
1.3MB

Download
memory/2824-37-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-44-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/2824-45-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download
memory/2824-46-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/2824-47-0x00000000745F0000-0x0000000074CDE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing