agenttesla | c82046986624ca53191cffe0aa3316bbbacd49551e31eb2df0f66b7ee29a70fd

General

Target

F0987654678000.exe
Size

585KB
MD5

e4abeca3f1e138479cda142530fbc810
SHA1

5b010c25a6b4702d6d0ea9c48d2a3339de5d5182
SHA256

b50fc7113a6c52967913e5bada3755364af76c2188ed621af5f23c3669648425
SHA512

93b8dea3bc03d88c1ac6e6b0e171f3db2153f73c139dc513b6ee16c74f4499461e92cf06bf2421fef2463f0441f8db655c1c4ae38c2c1705fe805035e31a5ab3
SSDEEP

12288:yYV6MorX7qzuC3QHO9FQVHPF51jgcdF++2Jw4THc7E6mVIE:BBXu9HGaVHWxJwGHcg6mv

Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.antoniomayol.com:21
Port:
21
Username:
[email protected]
Password:
cMhKDQUk1{;%

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Grinnellia.vbs	Grinnellia.exe

Executes dropped EXE 1 IoCs

pid	Process
3832	Grinnellia.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2816-0-0x0000000000210000-0x0000000000361000-memory.dmp	upx
behavioral2/files/0x0002000000022f9b-15.dat	upx
behavioral2/memory/2816-17-0x0000000000210000-0x0000000000361000-memory.dmp	upx
behavioral2/memory/3832-18-0x0000000000870000-0x00000000009C1000-memory.dmp	upx
behavioral2/memory/3832-36-0x0000000000870000-0x00000000009C1000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/2816-17-0x0000000000210000-0x0000000000361000-memory.dmp	autoit_exe
behavioral2/memory/3832-36-0x0000000000870000-0x00000000009C1000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3832 set thread context of 4820	3832	Grinnellia.exe	87

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F0987654678000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Grinnellia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4820	RegSvcs.exe
4820	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3832	Grinnellia.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	RegSvcs.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2816	F0987654678000.exe
2816	F0987654678000.exe
3832	Grinnellia.exe
3832	Grinnellia.exe
3832	Grinnellia.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2816	F0987654678000.exe
2816	F0987654678000.exe
3832	Grinnellia.exe
3832	Grinnellia.exe
3832	Grinnellia.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3832	2816	F0987654678000.exe	85
PID 2816 wrote to memory of 3832	2816	F0987654678000.exe	85
PID 2816 wrote to memory of 3832	2816	F0987654678000.exe	85
PID 3832 wrote to memory of 4820	3832	Grinnellia.exe	87
PID 3832 wrote to memory of 4820	3832	Grinnellia.exe	87
PID 3832 wrote to memory of 4820	3832	Grinnellia.exe	87
PID 3832 wrote to memory of 4820	3832	Grinnellia.exe	87

C:\Users\Admin\AppData\Local\Temp\F0987654678000.exe
"C:\Users\Admin\AppData\Local\Temp\F0987654678000.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\juvenile\Grinnellia.exe
  "C:\Users\Admin\AppData\Local\Temp\F0987654678000.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\F0987654678000.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drawlingly

Filesize
239KB

MD5
8100d54cd1da2d955aec2442330b9a3a

SHA1
b56fbf35202ebf525ff736d7844ab285b9193c5a

SHA256
295ef8d029e2ba16fccc828745d7f260ab4cea90ab2c01094b85e0bcbf0c17cd

SHA512
4d46527585f0b908b60993e3c69ba5fe7fec84ebcfb69eaa842d6fc7486f0f00462542d7116b4b04032eaad9edd555f50e765415e67c9e86da0e966c6c0cf243

Download Submit
C:\Users\Admin\AppData\Local\Temp\nonhazardousness

Filesize
203KB

MD5
0f0e24395c2e1a1042f0ae0cb9808b30

SHA1
64eb183637e19f0e81d58fe3f563a33b1db761bc

SHA256
ec2be3d8ca3919ff410f92468a94f348783853cc75cc2c078ba75748f1ae0ff1

SHA512
a044c8c063588dd7c7652f6a7b7b547818770002894da658c969a225c509d29d8d321d43dd8a9dcb19624fac12a77cc3d5271c0cb409ba668768f06984d20128

Download Submit
C:\Users\Admin\AppData\Local\juvenile\Grinnellia.exe

Filesize
585KB

MD5
e4abeca3f1e138479cda142530fbc810

SHA1
5b010c25a6b4702d6d0ea9c48d2a3339de5d5182

SHA256
b50fc7113a6c52967913e5bada3755364af76c2188ed621af5f23c3669648425

SHA512
93b8dea3bc03d88c1ac6e6b0e171f3db2153f73c139dc513b6ee16c74f4499461e92cf06bf2421fef2463f0441f8db655c1c4ae38c2c1705fe805035e31a5ab3

Download Submit
memory/2816-12-0x0000000001720000-0x0000000001724000-memory.dmp

Filesize
16KB

Download
memory/2816-17-0x0000000000210000-0x0000000000361000-memory.dmp

Filesize
1.3MB

Download
memory/2816-0-0x0000000000210000-0x0000000000361000-memory.dmp

Filesize
1.3MB

Download
memory/3832-36-0x0000000000870000-0x00000000009C1000-memory.dmp

Filesize
1.3MB

Download
memory/3832-18-0x0000000000870000-0x00000000009C1000-memory.dmp

Filesize
1.3MB

Download
memory/4820-34-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4820-37-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

Filesize
4KB

Download
memory/4820-38-0x0000000005DB0000-0x0000000006354000-memory.dmp

Filesize
5.6MB

Download
memory/4820-39-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/4820-40-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download
memory/4820-41-0x0000000006C10000-0x0000000006C60000-memory.dmp

Filesize
320KB

Download
memory/4820-42-0x0000000006D00000-0x0000000006D92000-memory.dmp

Filesize
584KB

Download
memory/4820-43-0x0000000006C90000-0x0000000006C9A000-memory.dmp

Filesize
40KB

Download
memory/4820-44-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

Filesize
4KB

Download
memory/4820-45-0x0000000074FE0000-0x0000000075790000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing