agenttesla | af5d33f6d6968f482d8cee26b7d9d4f809525de3854f25dcf187e611445dfaf3

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order 10172024.exe
Size

860KB
MD5

b0c43a399cb887cecbb33049458c1734
SHA1

b87560b57a5dc09b7f10ec4c4b5bb375f110a76b
SHA256

5105db90f81f4ef84db840b9e9e0e1d593448607fddfe9f4b6d6240ad994c241
SHA512

b1bfe4519d32f17922362ba7fa818ae988fa37ee7b06710d2aad7961694eecf77f7d1ffff4ef05969ae20c5daedbdb963bce943367dc45744087cd9da6cd0676
SSDEEP

24576:xw5i2E3kkGk359DsibOF+17TWdg0F7RR5:x1l59DdOF+17TWSyR5

Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
2872	Order 10172024.exe
2872	Order 10172024.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	api.ipify.org
24	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4364	Order 10172024.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2872	Order 10172024.exe
4364	Order 10172024.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 4364	2872	Order 10172024.exe	91

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Dicer\Tabitta.ini	Order 10172024.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order 10172024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order 10172024.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4364	Order 10172024.exe
4364	Order 10172024.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2872	Order 10172024.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4364	Order 10172024.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4364	2872	Order 10172024.exe	91
PID 2872 wrote to memory of 4364	2872	Order 10172024.exe	91
PID 2872 wrote to memory of 4364	2872	Order 10172024.exe	91
PID 2872 wrote to memory of 4364	2872	Order 10172024.exe	91
PID 2872 wrote to memory of 4364	2872	Order 10172024.exe	91

C:\Users\Admin\AppData\Local\Temp\Order 10172024.exe
"C:\Users\Admin\AppData\Local\Temp\Order 10172024.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\Order 10172024.exe
  "C:\Users\Admin\AppData\Local\Temp\Order 10172024.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd8F50.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8F50.tmp

Filesize
13B

MD5
968d5ad691d2a0ccc23d4e410546d745

SHA1
cd5f5f16097f4ced99c2e11f75c3c3b4b891416a

SHA256
bebca67508315817f99b0580d446f7c1e89f6ae4d56b362d2ebb446046104dcc

SHA512
e1f2d970247ae1f749b6561855006748fc0c7d0b58949d58186e423324ef77f381485e9a6603027366d67454cf6b20d40fb03da385da56a5f5336c7847d0e6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8F50.tmp

Filesize
27B

MD5
b93641813851b1ad166b8163e5aeddc9

SHA1
642d989ceea62bcfd70fb74f3c62ade0c1c41d78

SHA256
1628c6bee5afc85044309f45e34190bc9ce8bd9516e30792460e14362657d42d

SHA512
eee31a0d51df3a7ba35ab4025f8d458c4d12b6f46412982ad34aef31d9e83c7070056a07777ed4b62fb3b92b376b618099374901ffe4f988fe0f853a0e57c8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8F50.tmp

Filesize
36B

MD5
056fd9e747f45f72c12ed185db65ca8f

SHA1
96b9e5254b0c249a3393008a3fb160b18319532b

SHA256
b46a1b647cd0ac5d5ed27381e1559a8ed6244c5bb7a0d27a41ab1784c40bef85

SHA512
93f9577f9226d4c090034d81735a61a4505da2068e207d5885452637bfcf87f434278e58db281bce79d49e0d941bf3ead9550541b459fad386a7dd60e24c4446

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd8F50.tmp

Filesize
41B

MD5
9b63af13344f6ef82f01f463737f3a43

SHA1
8d8b471641cae2462b39fa096c26475167bbf274

SHA256
8b0454c42dded71d9ee62354260d89e0565bb803a300bb2c49c9dd50fd2d1c4b

SHA512
708585072fc9f56b68a2737726b580347861fc188d60b19e59d9b6b4a9fcd25e39a972254146f97d4aee32fc9502546c5da2803b027222f70de6d223e93db674

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse903F.tmp

Filesize
45B

MD5
d5fa28f2a6303816fa17bab92a60ceda

SHA1
f8c2c246d1ee826205625b94a2ab5de23a383224

SHA256
dce86f5071a4b457a8eeaf79568cbbf560b74e2549efd1a97a8121f7019bdfa6

SHA512
422f345fa53aefcf20bcd5d158e02f055e550a7c603c58010db6c43a7f1080a5cb18c6a89df86648d2fa4792b56950320338e5ae15ec0a89482b7a41cfdf3cd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse903F.tmp

Filesize
56B

MD5
8cf07b0e087d92cf064b0c5435ccf950

SHA1
63924471413ac6fc2e482e677c934feb238ff238

SHA256
6c2f91346e17160570f07696c30f5c5a92693b37a9137c37a32e7861ce09abbb

SHA512
bec0ecfa008274f8ef8a26b8c02dd9e19fa0221486637e25a7ef20b6523a58dc81a6546a0d62370a080f8160f0bb741543a6ebbaa1549ef79c1ea6406a6eb8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj900F.tmp

Filesize
23B

MD5
cc425c0e67a76a3ef42ffd875ac98788

SHA1
81867852fcd85548b1dc0d6a4acd4135055ff869

SHA256
2787c54979c964e4cc50064d4d89581a327a02067a8efb1be41764f428e9b5ee

SHA512
da263e2abfe2b2f1809edd4f67e76051141c16ddc1fd8c19f24e494c1e2bde6cdc099799bedac0cdcc2b5e06a1d6ea2d582023d4dbfb0cf03a690f7daa09d8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj900F.tmp

Filesize
46B

MD5
ba1366876ca36193286b34169ff93a92

SHA1
51171219231306ded13293ad53529730801d4121

SHA256
2cd452ad20228fab06ce5015a1810b9ac809981c8dd429ba83106c7121d08b5d

SHA512
9eae7b986b90ed489e4287702a7f06ca7d2d4b809b6fcfd3283cd9eda85345330ab9f39b03ede9c6dfbfb07af70af5e7ca3735cdb575e2c5170eaf70d2982098

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj900F.tmp

Filesize
60B

MD5
c4c9d64303bd337eeae8041f97eaaed7

SHA1
18103f5f8c956ee046b8782bc58ef55fff25263c

SHA256
5fca1a7f711abf4fb52460347e386260b7215ff11657958e6e77a5acfcd935ac

SHA512
88e6a3ffa45c81e58e6cdd152ae7fa49dc16bbc991720f7100dc3375f170550601e5ad5c388edf95532bbb4c1bcfb7676e5d78a544bdb19db931f76a0078be84

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj905F.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8FDE.tmp\System.dll

Filesize
11KB

MD5
4d3b19a81bd51f8ce44b93643a4e3a99

SHA1
35f8b00e85577b014080df98bd2c378351d9b3e9

SHA256
fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce

SHA512
b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8FDF.tmp

Filesize
27B

MD5
0ec6691c283ddc7f19331d3c214c58d2

SHA1
5b30d6927130c7a3ce16dfa809238c6f6fc61e6f

SHA256
1bf567e8c29ff4bd0866da8a312c38c4c2ffabf6916a87fa7bc7bbba2b42db36

SHA512
8ea2702bd97781067bdfe3008e9aa1da303db56b8d03bd076823308d299e369b2d989708ea707b5c4a51b96d3d07001e7f0c3d9767f08933fde0f9feba28493f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8FDF.tmp

Filesize
28B

MD5
d5c1c43dcbca7900a2751441b73a1402

SHA1
2ad884601eb948b72f2e980a05e6c05bfc4f04d7

SHA256
334995ac57ad095abcfa5ba0e9216285fc87f9026ea3ef2c67a42d1ed7ddf855

SHA512
1627d2cd136c30ba55dd3a336c05f20f90432bb0340ee75d2782328e2edc45e1213f9a315f7b5b61ce5340412f88109d5d13c833116835c3251d1751fce8854c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso8FDF.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
memory/2872-566-0x0000000004980000-0x00000000061E5000-memory.dmp

Filesize
24.4MB

Download
memory/2872-567-0x0000000077C01000-0x0000000077D21000-memory.dmp

Filesize
1.1MB

Download
memory/2872-568-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/2872-569-0x0000000004980000-0x00000000061E5000-memory.dmp

Filesize
24.4MB

Download
memory/4364-571-0x0000000077C88000-0x0000000077C89000-memory.dmp

Filesize
4KB

Download
memory/4364-570-0x00000000016F0000-0x0000000002F55000-memory.dmp

Filesize
24.4MB

Download
memory/4364-572-0x0000000077CA5000-0x0000000077CA6000-memory.dmp

Filesize
4KB

Download
memory/4364-573-0x0000000000490000-0x00000000016E4000-memory.dmp

Filesize
18.3MB

Download
memory/4364-574-0x0000000000490000-0x00000000004D2000-memory.dmp

Filesize
264KB

Download
memory/4364-575-0x0000000035940000-0x0000000035EE4000-memory.dmp

Filesize
5.6MB

Download
memory/4364-576-0x0000000035860000-0x00000000358C6000-memory.dmp

Filesize
408KB

Download
memory/4364-577-0x00000000016F0000-0x0000000002F55000-memory.dmp

Filesize
24.4MB

Download
memory/4364-578-0x00000000368E0000-0x0000000036930000-memory.dmp

Filesize
320KB

Download
memory/4364-579-0x0000000036930000-0x00000000369C2000-memory.dmp

Filesize
584KB

Download
memory/4364-580-0x0000000036A00000-0x0000000036A0A000-memory.dmp

Filesize
40KB

Download
memory/4364-582-0x0000000077C01000-0x0000000077D21000-memory.dmp

Filesize
1.1MB

Download