agenttesla | 702bfa8f5e655b8e697c0da0fe6ef8d381ddc9ee9f8fdb75b4fdddf19c30758a

General

Target

UAE7890-0987654.exe
Size

792KB
MD5

98078b4fc9598e0abf14580358bdb595
SHA1

7569139aa8940c37ee30425763a9225042c9bc4a
SHA256

be355266f38c5cddc82ad263354ea1de12ff6a9f8c008c412e22d94a30db6a84
SHA512

2591c7169791a7c8c875355c92add12eaca36509707404dd0dde22cbe752e96637384cf59b95b7df985abb86f8d0a727dc74bc18b69659c8ea7e1bb8846c7c8b
SSDEEP

24576:tthEVaPqLUgNxuELZ/u23IDHtoVJKzrJs02hb:VEVUc5NxHLA23cNqmFvS

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.antoniomayol.com:21
Port:
21
Username:
[email protected]
Password:
cMhKDQUk1{;%

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs	gehlenite.exe

Executes dropped EXE 1 IoCs

pid	Process
1984	gehlenite.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/1984-8-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/3028-10-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe
behavioral2/memory/1984-14-0x0000000003EA0000-0x00000000042A0000-memory.dmp	autoit_exe
behavioral2/memory/1984-18-0x0000000000400000-0x00000000004C2000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 3588	1984	gehlenite.exe	83

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3028-0-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/files/0x00070000000234b1-6.dat	upx
behavioral2/memory/1984-8-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/3028-10-0x0000000000400000-0x00000000004C2000-memory.dmp	upx
behavioral2/memory/1984-18-0x0000000000400000-0x00000000004C2000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gehlenite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UAE7890-0987654.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3588	RegSvcs.exe
3588	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1984	gehlenite.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3028	UAE7890-0987654.exe
3028	UAE7890-0987654.exe
1984	gehlenite.exe
1984	gehlenite.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3028	UAE7890-0987654.exe
3028	UAE7890-0987654.exe
1984	gehlenite.exe
1984	gehlenite.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1984	3028	UAE7890-0987654.exe	82
PID 3028 wrote to memory of 1984	3028	UAE7890-0987654.exe	82
PID 3028 wrote to memory of 1984	3028	UAE7890-0987654.exe	82
PID 1984 wrote to memory of 3588	1984	gehlenite.exe	83
PID 1984 wrote to memory of 3588	1984	gehlenite.exe	83
PID 1984 wrote to memory of 3588	1984	gehlenite.exe	83
PID 1984 wrote to memory of 3588	1984	gehlenite.exe	83

C:\Users\Admin\AppData\Local\Temp\UAE7890-0987654.exe
"C:\Users\Admin\AppData\Local\Temp\UAE7890-0987654.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\derogates\gehlenite.exe
  "C:\Users\Admin\AppData\Local\Temp\UAE7890-0987654.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\UAE7890-0987654.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\derogates\gehlenite.exe

Filesize
792KB

MD5
98078b4fc9598e0abf14580358bdb595

SHA1
7569139aa8940c37ee30425763a9225042c9bc4a

SHA256
be355266f38c5cddc82ad263354ea1de12ff6a9f8c008c412e22d94a30db6a84

SHA512
2591c7169791a7c8c875355c92add12eaca36509707404dd0dde22cbe752e96637384cf59b95b7df985abb86f8d0a727dc74bc18b69659c8ea7e1bb8846c7c8b

Download Submit
memory/1984-18-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1984-8-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1984-14-0x0000000003EA0000-0x00000000042A0000-memory.dmp

Filesize
4.0MB

Download
memory/3028-10-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3028-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3028-3-0x0000000004340000-0x0000000004740000-memory.dmp

Filesize
4.0MB

Download
memory/3588-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3588-19-0x000000007403E000-0x000000007403F000-memory.dmp

Filesize
4KB

Download
memory/3588-20-0x00000000054D0000-0x0000000005A74000-memory.dmp

Filesize
5.6MB

Download
memory/3588-21-0x0000000004F90000-0x0000000004FF6000-memory.dmp

Filesize
408KB

Download
memory/3588-22-0x0000000074030000-0x00000000747E0000-memory.dmp

Filesize
7.7MB

Download
memory/3588-23-0x0000000006270000-0x0000000006302000-memory.dmp

Filesize
584KB

Download
memory/3588-24-0x0000000006310000-0x0000000006360000-memory.dmp

Filesize
320KB

Download
memory/3588-25-0x0000000006460000-0x000000000646A000-memory.dmp

Filesize
40KB

Download
memory/3588-26-0x000000007403E000-0x000000007403F000-memory.dmp

Filesize
4KB

Download
memory/3588-27-0x0000000074030000-0x00000000747E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing