agenttesla | 824651a985e34ad31a02aa31226883fe396f30cdd491f1da1453c5c79dae95fb

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Shipping Documents.exe
Size

1016KB
MD5

d6d14fc73f7e485b864a1dc1d8fde8f9
SHA1

85a6480abc0f54dafff5e4bc2b996e7655f91b2b
SHA256

fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b
SHA512

00a35cbb44902a58349995ac90800a935df7d28e5e81f3fbd786375be29d7b8dbfb974849046590c0f98702c6f21dbca7a40b5130aca80d84a9c44ee0374061c
SSDEEP

12288:m4OpVuMv6/eGOFqi0isX8G2WJHkQ50g/s2QkPICHYA1U+IauB:/g/0yqiwv0f2SCHYAC+I9

Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
1936	Shipping Documents.exe
1936	Shipping Documents.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	api.ipify.org
30	api.ipify.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\balances.fej	Shipping Documents.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3188	Shipping Documents.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1936	Shipping Documents.exe
3188	Shipping Documents.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1936 set thread context of 3188	1936	Shipping Documents.exe	93

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\underbeskftiget\luser.ini	Shipping Documents.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\boniterings\Ferskvandsserne.ini	Shipping Documents.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping Documents.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shipping Documents.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1936	Shipping Documents.exe
3188	Shipping Documents.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3188	Shipping Documents.exe
3188	Shipping Documents.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1936	Shipping Documents.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3188	Shipping Documents.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 3188	1936	Shipping Documents.exe	93
PID 1936 wrote to memory of 3188	1936	Shipping Documents.exe	93
PID 1936 wrote to memory of 3188	1936	Shipping Documents.exe	93
PID 1936 wrote to memory of 3188	1936	Shipping Documents.exe	93
PID 1936 wrote to memory of 3188	1936	Shipping Documents.exe	93

C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
  "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nshA52B.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52C.tmp

Filesize
3B

MD5
4e27f2226785e9abbe046fc592668860

SHA1
28b18a7f383131df509f7191f946a32c5a2e410c

SHA256
01a219245e1501fee01ce0baea8f6065ce5162cea12fa570689a07c9717be81d

SHA512
2a23585835bdb5db8175cab265566042282841efdcee8aaba8b9b5d466b0f165c0c5973033ce94bb9a8f07a956689247981ea07ac5a51408263e1653d9710adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52C.tmp

Filesize
8B

MD5
c3cb69218b85c3260387fb582cb518dd

SHA1
961c892ded09a4cbb5392097bb845ccba65902ad

SHA256
1c329924865741e0222d3ead23072cfbed14f96e2b0432573068eb0640513101

SHA512
2402fffeb89c531db742bf6f5466eee8fe13edf97b8ecfc2cace3522806b322924d1ca81dda25e59b4047b8f40ad11ae9216e0a0d5c7fc6beef4368eb9551422

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52C.tmp

Filesize
16B

MD5
299751a30a50b5a6b62371c27fc4e478

SHA1
2a016fdba9876a7aade76bff3c4780633d5e6ef4

SHA256
0d4b1effa5ab30d5f6d9e6b1bd6de429d4a25075dbdf2f28d67beab72f6bff0e

SHA512
6917664885b34990ded6171ea01bfb2e1ff67e38455bee9d75e80d3905db7e7199679ae3761e290062e679ccf2555804b0ec1a59a5fd74c5069857c3326264e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52C.tmp

Filesize
29B

MD5
f302a24fc452fd85d13ad30a272d6f35

SHA1
3b9153f575b70084ae04fd55d5c86169eaa60916

SHA256
2edbbfdef57bac60adc902d6bd15abb9c3e044c0f660c9a63135d37ac0f6c63a

SHA512
477c3efa5d2bf5ef6ac57a0dc190014f98ff0bd1181106edff7b0db01d58b7f0d8c6eb77266202249f035cc056a726bfd7abdc2e0d672aadc9a45ed29d4b1bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52C.tmp

Filesize
42B

MD5
a736abcb9380cc3122c530302f713c8b

SHA1
04b4d0d386bd0ade20409730e8160c5c713fb36b

SHA256
5e8f7f2bad61bc10fa2f647e1367a29053166799244128a74508cc3c3a760c08

SHA512
234d99b774a992d86762c9d298dc62d612219234db760a259d6e21ed9d1f10dd810aefb4d9c82af254ceb7d64ff2811772dfc4350ccdfd4375f01a7b801cc333

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52C.tmp

Filesize
43B

MD5
861b54f1598ea66927bfe815c60b07bf

SHA1
05ed884e4bbf1b3f5564849ea66130977618f482

SHA256
5c9b9d544efddd32a858390c7f0f7123f4b06e201de44f6e59397d49bac23f42

SHA512
ff5b0a987698f4510e63d63ab6ee8738deda76b8b858d989b951918ee388f63519528afd76e521c16b0e8559939c184e05cb1be33fb4af49e026cb27c57fdd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshA52C.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA771.tmp

Filesize
21B

MD5
2dc5ae451f6175ae513bed5c4714d5ee

SHA1
4f47723723e7643a5b4c67f5f9d68cd834f80a4f

SHA256
180f6fc17f1d6e7d0878868f1643dc8c340f457eac0d6fc3680a95f1f9e7e54e

SHA512
9140fa690eca23bdf03d3058e6527c56cd51089b394ef681979f8e63cdc183fa942aecfd2d1061f50966fb998a5c0999b97b5b3a9af6aff1ce1d4826cfd42887

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnA771.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA401.tmp

Filesize
37B

MD5
c641bfa28a71f86301ed9e81931da24c

SHA1
59770ef0e9c2658e6aacd708615767660a2dec66

SHA256
df9ef051e1940f576446c4ef6d4ee0f201488c4c0485c26ef2bd3923b3e6a761

SHA512
e2e24f388600ca77ea717c8ebf382ff961cf20ae054d807526dddf28e5a328cbacfb57a6d00ad43afca0a4bc00ebb3f42a169de1fa5787265f468fe9056d093e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA401.tmp

Filesize
52B

MD5
ea70cc86528476e4f1225362996952a6

SHA1
93851680188ae3f06e0b419fa5afe38de41b84eb

SHA256
86ecd210e4942095595b70f160ce629c222229b154e64cf97295beb83ade9f63

SHA512
86c4fe02a63c61776b1cda0bca20e87f97a0103d0e9e914e913a5047d2660a804f18a754029f4d1877010d9027968c20107862da56e0033529f9d58a26cde836

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA401.tmp

Filesize
53B

MD5
6601def372fd604346cc14113dbe6c2f

SHA1
55b5e2406ef28e7c45a60acc6f90795cc088493d

SHA256
f4bf549b30bb96f31c7aec31e319438324daac5f7483e906beadb08ce285bb0c

SHA512
4eae5d296860b66377467aea0e6b6077f2bd993c151c29e2d1428c1d262c49ab4f8ef91cc6a7857f9054a1c86c59f08b8d9168754f5e66f021c2d4a05fffb451

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA401.tmp

Filesize
73B

MD5
b80ef50d0f02b0e60035ddab237b744e

SHA1
addac470421ca09efee0c0718d805e1312246086

SHA256
d26183d8122f1a8b4a98c5716a0520bdf9b28b95fa3baac4af25c49d39bd1da9

SHA512
ccf91989bb62dfd85144b5b85528921f2a134515797fbe6be348852bca34e6e7bc27a7d6a17e7ba28b62a8c644581a092a892957c84853cbb29eea8cb6792820

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA5D9.tmp

Filesize
24B

MD5
c7b1e0162df5441fbc3308af5a364ba2

SHA1
f86b61c5ee11de018cd6e0683fea7b6384c11e9c

SHA256
c04969dc8e4f8f577e3313979fc89804ac3dc5f2108bb0ec712535ca27fd2ea5

SHA512
0422467fdb5258a307f8ab426fad92f580f1edfd97e97bdfc61fb40cbf17e9d262a5df6edd2296ff4cd72ab947cf166839688a1fd1aa0d389f919d4f05900904

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA5D9.tmp

Filesize
9B

MD5
2b3884fe02299c565e1c37ee7ef99293

SHA1
d8e2ef2a52083f6df210109fea53860ea227af9c

SHA256
ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

SHA512
aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA5D9.tmp

Filesize
43B

MD5
16d50ed967901a3c9f62d4e8185aed3b

SHA1
5ae9db7721ced598a294ea93643d95577ded3f41

SHA256
fe7501810a8fd84beac83c0abdf44c08dff7eaae23c818a27ec75ce0cb21803c

SHA512
8100109eb1fb7b54dc7eda898e127e302676921268a75560889af36037fa6c7b2120a6922f288c8973ea5c96e95dde9d1f767d383bc93cc51ee5b9e79246d482

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA5D9.tmp

Filesize
50B

MD5
29794d23898bcc40f0ac8c229c06f281

SHA1
ac6f55876540d701be6cc590343f0116c47b30b1

SHA256
ae6ce97d41ac86deee6d01b14269ea305ddb99b136c25266d84275ef8cbcbe35

SHA512
220a4c7c69402b2228320b375fe0f1f72a7cf27069419b2fbb2cf988e13e1edfd055719873486dc6246696e5213f833caeca599e344ff55a2adc6cff89ad8294

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA5D9.tmp

Filesize
60B

MD5
5f0589a730cef19b880fd13800b042b5

SHA1
f7fae0baf60affc5eea4aa6bed5162f9e6c1f437

SHA256
909a37e6cb3dfb7389d559f1b4964835ca62c999ecee1376a0163437ae941ef9

SHA512
73846a43a22af00e166cea33cb12e6884eeb1e05510554fa96d0843f3e761a50dee2c74a27b731cd2e759f7069889c9e7f8ea20353b7103c0ba5c587e7f3da92

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA676.tmp

Filesize
11B

MD5
cda05fedfd1133dfc6439e441829b6ba

SHA1
e0dfbcfe83a13922d365506312212928871f9c0b

SHA256
27fad7aa07fb564d9f9e0cbaf6515fe34bb0f8647cd200fee1eaad0167523099

SHA512
1180a5fac7c9c8ce445b5966b45bda7d38bb65d2ae2b1bb096d01e09476622bb0bf745dfed3104cd7b5da766322653bb14720b3394e2cb87950191a66b94efaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA676.tmp

Filesize
21B

MD5
536389bbf053b80ce24ccb866d88062d

SHA1
6b73170d96a856ed910dad0c6da873ef30f90396

SHA256
43cb47f4df5b0c44fda22501a37e5ea542847cb48c2e184e10d47dd20900c2e4

SHA512
6d86692b95765720e371e1c026eeaa8adcb4a166c733a172d6a578b67e9cf604c12a907ea927e494463c6102a40262a1f0b4059c62b330110d64f4c5b8208a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA676.tmp

Filesize
34B

MD5
da80ee148254b22f5abd221d25748784

SHA1
7edd2cb4579b715090f9c37137d99f64647fff19

SHA256
0c55fbe88cc03eeac0fd92d9a70ca408fb42a32f521b79daa0a347653f21b1be

SHA512
0677996ea1a6a6e80287999f4e62ef4d6d04386c3de5d9b7f35eb441f63712a8f5e95fb6ded744236a86989f98064f711e5fae8c2a8547e498bc1fb4a344cd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxA676.tmp

Filesize
40B

MD5
72b7428b8abb49aaf271b3e109861324

SHA1
9a7de768da2bcbc4f4920615de8412659884d377

SHA256
3132d1933679caa02317f2e2db8939a48e1473aa85b43ea1c4063d5b10d12bc1

SHA512
3a838ee1cd69d2aa2cb14f35eea545aec28aaa5be07f5ddab56dfb82a4b0fbe42c3cdd3b4222adfc8e198791b74f8e2fb425b73135385853a55216a5ce3537fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\barleybird.ini

Filesize
36B

MD5
aaec21587703506dff20363c6402f5c6

SHA1
d8995f3e0a6ac0ee4b0047e7301cd0f4e838ae9c

SHA256
10b7f20c1b7dd887624c1520bce6c531a5aa50cc9c8204bd277c2f7cccc39bc7

SHA512
d510c9ec8d02272d3112e89ae4a17d17442e5bd62d1cf3cc58526df2bb706f5e0e0be09cfdf775567564ff26a826570dc2d08e2a7439aed8924109f110386010

Download Submit
memory/1936-843-0x0000000004D90000-0x0000000007672000-memory.dmp

Filesize
40.9MB

Download
memory/1936-844-0x0000000077861000-0x0000000077981000-memory.dmp

Filesize
1.1MB

Download
memory/1936-845-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/1936-846-0x0000000004D90000-0x0000000007672000-memory.dmp

Filesize
40.9MB

Download
memory/3188-847-0x0000000001A80000-0x0000000004362000-memory.dmp

Filesize
40.9MB

Download
memory/3188-848-0x0000000000820000-0x0000000001A74000-memory.dmp

Filesize
18.3MB

Download
memory/3188-849-0x0000000000820000-0x0000000000862000-memory.dmp

Filesize
264KB

Download
memory/3188-850-0x0000000036C00000-0x00000000371A4000-memory.dmp

Filesize
5.6MB

Download
memory/3188-851-0x0000000037200000-0x0000000037266000-memory.dmp

Filesize
408KB

Download
memory/3188-852-0x0000000037CC0000-0x0000000037D10000-memory.dmp

Filesize
320KB

Download
memory/3188-853-0x0000000037D10000-0x0000000037DA2000-memory.dmp

Filesize
584KB

Download
memory/3188-854-0x0000000037DE0000-0x0000000037DEA000-memory.dmp

Filesize
40KB

Download
memory/3188-856-0x0000000001A80000-0x0000000004362000-memory.dmp

Filesize
40.9MB

Download