agenttesla | 5105db90f81f4ef84db840b9e9e0e1d593448607fddfe9f4b6d6240ad994c241

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order 10172024.bat.exe
Size

860KB
MD5

b0c43a399cb887cecbb33049458c1734
SHA1

b87560b57a5dc09b7f10ec4c4b5bb375f110a76b
SHA256

5105db90f81f4ef84db840b9e9e0e1d593448607fddfe9f4b6d6240ad994c241
SHA512

b1bfe4519d32f17922362ba7fa818ae988fa37ee7b06710d2aad7961694eecf77f7d1ffff4ef05969ae20c5daedbdb963bce943367dc45744087cd9da6cd0676
SSDEEP

24576:xw5i2E3kkGk359DsibOF+17TWdg0F7RR5:x1l59DdOF+17TWSyR5

Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
3980	Order 10172024.bat.exe
3980	Order 10172024.bat.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	api.ipify.org
26	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4048	Order 10172024.bat.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3980	Order 10172024.bat.exe
4048	Order 10172024.bat.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3980 set thread context of 4048	3980	Order 10172024.bat.exe	93

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Dicer\Tabitta.ini	Order 10172024.bat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order 10172024.bat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order 10172024.bat.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4048	Order 10172024.bat.exe
4048	Order 10172024.bat.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3980	Order 10172024.bat.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4048	Order 10172024.bat.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 4048	3980	Order 10172024.bat.exe	93
PID 3980 wrote to memory of 4048	3980	Order 10172024.bat.exe	93
PID 3980 wrote to memory of 4048	3980	Order 10172024.bat.exe	93
PID 3980 wrote to memory of 4048	3980	Order 10172024.bat.exe	93
PID 3980 wrote to memory of 4048	3980	Order 10172024.bat.exe	93

C:\Users\Admin\AppData\Local\Temp\Order 10172024.bat.exe
"C:\Users\Admin\AppData\Local\Temp\Order 10172024.bat.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Users\Admin\AppData\Local\Temp\Order 10172024.bat.exe
  "C:\Users\Admin\AppData\Local\Temp\Order 10172024.bat.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nseA9A4.tmp

Filesize
23B

MD5
742d3f392842fd0a5ebecea567c2af34

SHA1
b680bc716a2b53ef6af5edcbf222e6ac2606e1e8

SHA256
c7c952a7580d506f694240eb56e705a182561523c14116ab5aab1c2c87f886bf

SHA512
1642176efc91de80dd89412d982f8c9b1b53a0c96067fdbb70cc04a94c0d37d18caee0bdfab9666930af4e50ad37fdb5335e58c210b67fa59420044d4130aedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseA9A4.tmp

Filesize
27B

MD5
4957153fabb445fb18c9ebc9c311f34d

SHA1
d12d7a2c8a4b61bae681b19b9a07a06a0d0d4632

SHA256
fbaa92d310219f370662dbcb3d8023c007b4786d0bf979228690d4df2cf89c91

SHA512
4c0ee80abbe5748e3b794982585dc819c57f59429ef47ab628a801d05752daea92e7ef97088556b5411a49e8724157ee748a0e40c3efc0962927783fc1a44cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA974.tmp

Filesize
31B

MD5
5415d7b5f473470da156e7453759be0a

SHA1
58cd7f10d07971346f26146e8fd7103f421e094a

SHA256
761068ce3e6a6df09bf30f006f40a21d1ea84dad04f61906ac807f68eda52947

SHA512
560af3a778d993cdd475f90e9a8df55b7e402291cf1787b73d1d5c3f1c4366975282b3685c51c59b2a3f3bdb2374b94aeda84ceaa1b65973278168546eb239f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA974.tmp

Filesize
35B

MD5
b2c3260410bc650a4c0e5a6c9d3fae44

SHA1
40a4887c936a6a2a38c08ac603e78bea365791e5

SHA256
ed36fdc521f579aeb2176c4044d804fdbfddc29527782b7eac6cac42ade883f4

SHA512
ce2366829733d9f2418584b5858173bcc9633732ea71b7b1ffda7470018bd6b10820f8770497ffff2bac723af89063e4cbc6865b7cb11b0fcf3082fc979c1114

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA944.tmp

Filesize
20B

MD5
981d979ec49cb64b078f50013c191acd

SHA1
18f103644da4913b96391b7d457ded5706e4d0f2

SHA256
f4e95849a9bf43f048e70b6beb4716762d41fd3efcb59bc58923386a6e3aeb5b

SHA512
d2901d088095cfb15227db5b49f510591e3480be1d4bd16991e794347657bcc4e1e940834961a09d9eaf48c3224886b850973a8eff9cd3ee74f7eec622bb6eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA944.tmp

Filesize
50B

MD5
d562ded724682dfe26802c35c4d3a6f8

SHA1
67741c9a7e95df2901c556f832998edf0fd05739

SHA256
8db280444847ff2ee4e91a8026f45557c33596980bea5226cca8fd2e017baae0

SHA512
b24295f956f8241f0be5bef55f37ed77016cf4898adcf70c02fc088f88f7307135beddb64a8da34e2cd6511a902c0fd32860cb428da3ed0575f53457d16a62ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA944.tmp

Filesize
48B

MD5
1bfe1c7db3ed48f45bfa7f9ec6e72090

SHA1
dd64286cbc3e0bae2cee22b1426ff3791246a6e6

SHA256
61cbf51021e3cf26e91c2e8ebb6eb54136efe070f5b9cd7e4bf8145047fcb5a2

SHA512
8169db0b141d3bb6da3bebaa9b9fc2ee35e056fc249d13474d6915997e739dacdbc6c8a971ba41aa2ae07e99cadcc315509f21aa87d9d008322e564bfaf97f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA944.tmp

Filesize
60B

MD5
c4c9d64303bd337eeae8041f97eaaed7

SHA1
18103f5f8c956ee046b8782bc58ef55fff25263c

SHA256
5fca1a7f711abf4fb52460347e386260b7215ff11657958e6e77a5acfcd935ac

SHA512
88e6a3ffa45c81e58e6cdd152ae7fa49dc16bbc991720f7100dc3375f170550601e5ad5c388edf95532bbb4c1bcfb7676e5d78a544bdb19db931f76a0078be84

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA913.tmp\System.dll

Filesize
11KB

MD5
4d3b19a81bd51f8ce44b93643a4e3a99

SHA1
35f8b00e85577b014080df98bd2c378351d9b3e9

SHA256
fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce

SHA512
b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA914.tmp

Filesize
26B

MD5
b7e56998ef81615a40866acb94c2f30a

SHA1
205d7d70bb8077a220d58f0bea2975fef5acf95a

SHA256
0b50a60cc7418cc1aec43be27dad966a1cf62eea10f825cb93d62b265c7e5dd7

SHA512
4f8a5482c7a21fc0f33e7da187ba7e9ef1250729ec30e56cee98c86e96a5307387436639040905f88ac9af24117d8c8094d142a70c2144c5935b1ace877dd731

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA914.tmp

Filesize
29B

MD5
f302a24fc452fd85d13ad30a272d6f35

SHA1
3b9153f575b70084ae04fd55d5c86169eaa60916

SHA256
2edbbfdef57bac60adc902d6bd15abb9c3e044c0f660c9a63135d37ac0f6c63a

SHA512
477c3efa5d2bf5ef6ac57a0dc190014f98ff0bd1181106edff7b0db01d58b7f0d8c6eb77266202249f035cc056a726bfd7abdc2e0d672aadc9a45ed29d4b1bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA914.tmp

Filesize
34B

MD5
2a9c98ea1aa7a05604ab51073fcd45c7

SHA1
3f970ebeb4f5ef40f8bb1e16d64ab410c3af3962

SHA256
ba493b1e2704c417662224230bffa2effae24f9fbf8c56a7bcb93ac02bc2abd9

SHA512
fe999f6186c4bb20113cfdddba193cf777941a9ce223f0c6d8f85dc5e2668df6f820922d7b75f255ec2d5355f1881f3867686363f4c5f630ffa8b48b079d7647

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA914.tmp

Filesize
43B

MD5
861b54f1598ea66927bfe815c60b07bf

SHA1
05ed884e4bbf1b3f5564849ea66130977618f482

SHA256
5c9b9d544efddd32a858390c7f0f7123f4b06e201de44f6e59397d49bac23f42

SHA512
ff5b0a987698f4510e63d63ab6ee8738deda76b8b858d989b951918ee388f63519528afd76e521c16b0e8559939c184e05cb1be33fb4af49e026cb27c57fdd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA914.tmp

Filesize
49B

MD5
1aeb67240bc704bf6cc2fa0a6f52a970

SHA1
0d5cbc71d7e606e7f1a68332be8a7a5a7b4be02d

SHA256
bbd283b5a658ac95e8811c820de41f911e7559e982d9378b5b14c3f7cb5ccb6d

SHA512
c64bdb3c49ff5ca422fe5a4a03fac5145072f7cf692addc23e811ce39c25fc7fcb8e15a07fd770eb8d392d86cfc12c3520b080899a4d2c85646c09b181f2b47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA914.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA895.tmp

Filesize
6B

MD5
50484c19f1afdaf3841a0d821ed393d2

SHA1
c65a0fb7e74ffd2c9fc3a0f9aacb0f6a24b0a68b

SHA256
6923dd1bc0460082c5d55a831908c24a282860b7f1cd6c2b79cf1bc8857c639c

SHA512
d51a20d67571fe70bcd6c36e1382a3c342f42671c710090b75fcfc2405ce24488e03a7131eefe4751d0bd3aeaad816605ad10c8e3258d72fcf379e32416cbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA895.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA895.tmp

Filesize
10B

MD5
9a53fc1d7126c5e7c81bb5c15b15537b

SHA1
e2d13e0fa37de4c98f30c728210d6afafbb2b000

SHA256
a7de06c22e4e67908840ec3f00ab8fe9e04ae94fb16a74136002afbaf607ff92

SHA512
b0bffbb8072dbdcfc68f0e632f727c08fe3ef936b2ef332c08486553ff2cef7b0bcdb400e421a117e977bb0fac17ce4706a8097e32d558a918433646b6d5f1a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA895.tmp

Filesize
28B

MD5
2490402a1d7d19949dd2a237b95af06f

SHA1
9a960e98c750e3fc7e44cdd6e1af20e690d893b1

SHA256
bb92b5197bb4677950b78f816a8170797d0392af55e31d0f0744fe9c99f7e9b8

SHA512
f3d299910eee8e8ace51ae3e7d79d12f7f68bfbcdaa0d7b8b66d505c4bdba7d95a97aeefc9f22868989115a99f81e0e3e9480e0d3e9af5fa27d2d9b0e961b52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA895.tmp

Filesize
35B

MD5
6308721206dbe8d1a8268f3c1b0aea1c

SHA1
8e2d87577161a86714c59df837fc0d5aac0bab5a

SHA256
65dd548600ae0d7d0fd7e126181efd7667b5d02c1ece19742c66ab4f31155c91

SHA512
51d2736cfc59466feb145ade821da741f9d10617c1a358465f49f06f9f1c1246a23cef4f63b6a423f380453d02cbb01d50d75dc5c0f6b11d4f85bf94cdba303d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA895.tmp

Filesize
40B

MD5
28a6676780b5dc10cce96a2b07fd2dce

SHA1
2f49455fac0d2dfa8a3b087dcd14e1c62f97c94b

SHA256
b10b2877ad9f4d77d275562f4a233c4d2900e36568d5e1761c3d92b33e050a7a

SHA512
801b2519bc90819eb45aab326909e0a3e83dd3bce7b491f3489b2be4b0d0ef947245d2fbc6fd1702436378e48ec3a6a90f1f6df43684d614aa3fecc40382fca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA895.tmp

Filesize
46B

MD5
46bc3b3f30f2703822d77228cf71c47f

SHA1
880c185810ea2b075648c9d0aac41487c8383059

SHA256
8bf4c616c9a55aafdc1a48ebdb11f8fbea6fb2465aa2f216e4efad6d540a1d99

SHA512
b8dd0e24989ee9acf9eb6b86dfb7f87d1d11f96458981170b7557aa1e26bb995a9ff785c8a98a54327ab12a7868d9c404b221e5f09e401d431dbb0120042946d

Download Submit
memory/3980-568-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/3980-567-0x0000000077261000-0x0000000077381000-memory.dmp

Filesize
1.1MB

Download
memory/3980-566-0x00000000047F0000-0x0000000006055000-memory.dmp

Filesize
24.4MB

Download
memory/3980-569-0x00000000047F0000-0x0000000006055000-memory.dmp

Filesize
24.4MB

Download
memory/4048-573-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/4048-571-0x00000000772E8000-0x00000000772E9000-memory.dmp

Filesize
4KB

Download
memory/4048-572-0x0000000077305000-0x0000000077306000-memory.dmp

Filesize
4KB

Download
memory/4048-570-0x00000000016F0000-0x0000000002F55000-memory.dmp

Filesize
24.4MB

Download
memory/4048-574-0x0000000000490000-0x00000000004D2000-memory.dmp

Filesize
264KB

Download
memory/4048-575-0x0000000035840000-0x0000000035DE4000-memory.dmp

Filesize
5.6MB

Download
memory/4048-576-0x00000000334E0000-0x0000000033546000-memory.dmp

Filesize
408KB

Download
memory/4048-577-0x00000000016F0000-0x0000000002F55000-memory.dmp

Filesize
24.4MB

Download
memory/4048-578-0x0000000036770000-0x00000000367C0000-memory.dmp

Filesize
320KB

Download
memory/4048-579-0x00000000367C0000-0x0000000036852000-memory.dmp

Filesize
584KB

Download
memory/4048-580-0x0000000036890000-0x000000003689A000-memory.dmp

Filesize
40KB

Download
memory/4048-582-0x0000000077261000-0x0000000077381000-memory.dmp

Filesize
1.1MB

Download