agenttesla | af5d33f6d6968f482d8cee26b7d9d4f809525de3854f25dcf187e611445dfaf3

Analysis

max time kernel
147s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order 10172024.exe
Size

860KB
MD5

b0c43a399cb887cecbb33049458c1734
SHA1

b87560b57a5dc09b7f10ec4c4b5bb375f110a76b
SHA256

5105db90f81f4ef84db840b9e9e0e1d593448607fddfe9f4b6d6240ad994c241
SHA512

b1bfe4519d32f17922362ba7fa818ae988fa37ee7b06710d2aad7961694eecf77f7d1ffff4ef05969ae20c5daedbdb963bce943367dc45744087cd9da6cd0676
SSDEEP

24576:xw5i2E3kkGk359DsibOF+17TWdg0F7RR5:x1l59DdOF+17TWSyR5

Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
2224	Order 10172024.exe
2224	Order 10172024.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
6	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2472	Order 10172024.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2224	Order 10172024.exe
2472	Order 10172024.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2472	2224	Order 10172024.exe	31

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Dicer\Tabitta.ini	Order 10172024.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order 10172024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order 10172024.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2472	Order 10172024.exe
2472	Order 10172024.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2224	Order 10172024.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	Order 10172024.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2472	2224	Order 10172024.exe	31
PID 2224 wrote to memory of 2472	2224	Order 10172024.exe	31
PID 2224 wrote to memory of 2472	2224	Order 10172024.exe	31
PID 2224 wrote to memory of 2472	2224	Order 10172024.exe	31
PID 2224 wrote to memory of 2472	2224	Order 10172024.exe	31
PID 2224 wrote to memory of 2472	2224	Order 10172024.exe	31

C:\Users\Admin\AppData\Local\Temp\Order 10172024.exe
"C:\Users\Admin\AppData\Local\Temp\Order 10172024.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\Order 10172024.exe
  "C:\Users\Admin\AppData\Local\Temp\Order 10172024.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsdCFC2.tmp

Filesize
7B

MD5
67cfa7364c4cf265b047d87ff2e673ae

SHA1
56e27889277981a9b63fcf5b218744a125bbc2fa

SHA256
639b68bd180b47d542dd001d03557ee2d5b3065c3c783143bc9fb548f3fd7713

SHA512
17f28a136b20b89e9c3a418b08fd8e6fcaac960872dc33b2481af2d872efc44228f420759c57724f5d953c7ba98f2283e2acc7dfe5a58cbf719c6480ec7a648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCFC2.tmp

Filesize
15B

MD5
64c34dda0003aa56030f5cef66dd8616

SHA1
8f3f9e66c5b9d35715b3c6d8aa800450f6db95fb

SHA256
a3f3ef6dbcdd25537eb2d093b42fcb85c2e84522ae1aab7bf924dc00eb3ef870

SHA512
0f01df79160393b6e7c6ea2d302bd9c1613a269ca0cb09d300d6c98dbff12e0aa3456e89c16842de77353c32edb4df565ac0709a66dc48375088f8dbba3b277f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCFC2.tmp

Filesize
40B

MD5
72a0970ae6648d5df4e6eec05342b853

SHA1
ebc172037d7d5a7a294526ea3a6872fe659ff038

SHA256
4c7f2a06cb567426c47293e7baa95ad7098d20adec15477da80179acac85cfbc

SHA512
1d59b842d93c88a2e0b25a2fe0a52e6b3b505b89ee3292469185866f2294fa4704334f797a2fee91cbca1a62fd4ffe212b5fd22ead8f2e7e0a61cf39eca65456

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdCFC2.tmp

Filesize
49B

MD5
bd455ff5b3cc0bcf4b274e47b7622cb1

SHA1
636a3df80b338ba263964bb360318ab5bfa1237b

SHA256
64250d2e1d369a13ad03f754095a1dbde4e1ea9e8e5ce81761df209c84c4bf81

SHA512
da03dcb4f7c8a7562acfff7019dcecb1392de16f459cd02378f01e2db30a2692601c56f617456d669b1dbfe3420756a20e360e933bb0e14637a3c39e43c5d0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCF42.tmp

Filesize
40B

MD5
28a6676780b5dc10cce96a2b07fd2dce

SHA1
2f49455fac0d2dfa8a3b087dcd14e1c62f97c94b

SHA256
b10b2877ad9f4d77d275562f4a233c4d2900e36568d5e1761c3d92b33e050a7a

SHA512
801b2519bc90819eb45aab326909e0a3e83dd3bce7b491f3489b2be4b0d0ef947245d2fbc6fd1702436378e48ec3a6a90f1f6df43684d614aa3fecc40382fca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCF42.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCF93.tmp

Filesize
18B

MD5
cd0c38af71efb097ce402c588b17ff09

SHA1
8da4e54a7b95932f752a88ea416fa31d0c7c2fbe

SHA256
1630fc3705a57982a8939a6550615a92d8998f0c3394caeca0ae3019427ec50a

SHA512
03603368dbca419de6ad8ef10bb6c9670e83f06d2b3b7d7b5ebccf255473d7abb1cca1c7e0f2c2d49cd3f84c599ee5e71b03582567c95f3f76d5e54931a6ed06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCF93.tmp

Filesize
29B

MD5
5b2357aa9ee8d93ebc8fea2a7da01fda

SHA1
3a5bb5ceeeb26ee649ce9c8fa1c47e45d8c8f00a

SHA256
f2b723416cc41c59b870a8fbbe8ecab3cd0cf2298902649a50668b1b88e6e835

SHA512
03d9cbca3d09de197530779f90b8864da4a34aa50a7dc87fdd964ac53a5a6a73f543fe5727fc2df29b9cf5b3646b1ffc60b90883148c1989fdbcee5658582fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjCF93.tmp

Filesize
47B

MD5
38c000521efa2d906ae3d3e34c266b5d

SHA1
bdf4fe3dd0cacf6e4d2f9790fbdd487a4c4e86b0

SHA256
cd2c17867bc6d9911e8149d8567b89d5edb675734f2f7dc6a8081fca6efaaec4

SHA512
bf3c5ee7c4a9f2bca973ca2404a829133741e00d59883ad2e908349216a081ccfc0211329ce3df23009d085c1fcaac8bce11017f8924a93830987d5d985b8ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCF82.tmp

Filesize
43B

MD5
861b54f1598ea66927bfe815c60b07bf

SHA1
05ed884e4bbf1b3f5564849ea66130977618f482

SHA256
5c9b9d544efddd32a858390c7f0f7123f4b06e201de44f6e59397d49bac23f42

SHA512
ff5b0a987698f4510e63d63ab6ee8738deda76b8b858d989b951918ee388f63519528afd76e521c16b0e8559939c184e05cb1be33fb4af49e026cb27c57fdd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstCF82.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCFF2.tmp

Filesize
16B

MD5
ebceb0a1fed026e3e34e7b8da2d4a813

SHA1
792fda9449b9d86f592c58b90ac24df15db59e45

SHA256
36be9a2540809bed9173f5517226ee7301996dbd5a7b07451a512a0e2ceccc8c

SHA512
cd3534dfb1ea2f0cf392304bcb36ecfb3a4e4125162973974ff9ec4e52c5d0940a734b18f592f7e81459afc2b6e35452163f7068267fc957c4c09894f45f969a

Download Submit
\Users\Admin\AppData\Local\Temp\nsdCF71.tmp\System.dll

Filesize
11KB

MD5
4d3b19a81bd51f8ce44b93643a4e3a99

SHA1
35f8b00e85577b014080df98bd2c378351d9b3e9

SHA256
fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce

SHA512
b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622

Download Submit
memory/2224-568-0x0000000003890000-0x00000000050F5000-memory.dmp

Filesize
24.4MB

Download
memory/2224-570-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2224-569-0x0000000077831000-0x0000000077932000-memory.dmp

Filesize
1.0MB

Download
memory/2224-572-0x0000000003890000-0x00000000050F5000-memory.dmp

Filesize
24.4MB

Download
memory/2472-571-0x0000000077830000-0x00000000779D9000-memory.dmp

Filesize
1.7MB

Download
memory/2472-573-0x0000000000490000-0x00000000014F2000-memory.dmp

Filesize
16.4MB

Download
memory/2472-574-0x0000000000490000-0x00000000004D2000-memory.dmp

Filesize
264KB

Download