agenttesla | 45a450142e00de4a60676d56cee58b35e2c59c0af562c7740cfc7c42c2175ba1

General

Target

10029384756.exe
Size

842KB
MD5

8baafa32d7de3e0ba360e8df8c95e509
SHA1

65555b69b67f242a68c83a1735d7764bcbb417a0
SHA256

45a450142e00de4a60676d56cee58b35e2c59c0af562c7740cfc7c42c2175ba1
SHA512

ce7b7897a037269e646f7f71d00100c463582f3b786f90b68916b4dd5ff9e60e3d85fdcf3cb1ecbef1de9c4ba21fb9a4770b50b97d8a3c0b6735a2062274d0d4
SSDEEP

24576:lWO703h0R6ZL7h1sb1YDij7wt54gjOfHb:ookh0u91SYDrjc

Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://mail.hearing-vision.com
Port:
21
Username:
[email protected]
Password:
LILKOOLL14!

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Loads dropped DLL 1 IoCs

Processes:

10029384756.exe

pid process

1416 10029384756.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 ip-api.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

10029384756.exe

pid process

4324 10029384756.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

10029384756.exe10029384756.exe

pid process

1416 10029384756.exe
4324 10029384756.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

10029384756.exe

description pid process target process

PID 1416 set thread context of 4324 1416 10029384756.exe 10029384756.exe
Drops file in Program Files directory 1 IoCs

Processes:

10029384756.exe

description ioc process

File opened for modification C:\Program Files (x86)\Common Files\garantis.bew 10029384756.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1416	10029384756.exe

flow	ioc
30	ip-api.com

pid	process
4324	10029384756.exe

pid	process
1416	10029384756.exe
4324	10029384756.exe

description	pid	process	target process
PID 1416 set thread context of 4324	1416	10029384756.exe	10029384756.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\garantis.bew	10029384756.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

10029384756.exe10029384756.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10029384756.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10029384756.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

10029384756.exe

pid process

4324 10029384756.exe
4324 10029384756.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

10029384756.exe

pid process

1416 10029384756.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

10029384756.exe

description pid process

Token: SeDebugPrivilege 4324 10029384756.exe

pid	process
4324	10029384756.exe
4324	10029384756.exe

pid	process
1416	10029384756.exe

description	pid	process
Token: SeDebugPrivilege	4324	10029384756.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

10029384756.exe

description	pid	process	target process
PID 1416 wrote to memory of 4324	1416	10029384756.exe	10029384756.exe
PID 1416 wrote to memory of 4324	1416	10029384756.exe	10029384756.exe
PID 1416 wrote to memory of 4324	1416	10029384756.exe	10029384756.exe
PID 1416 wrote to memory of 4324	1416	10029384756.exe	10029384756.exe
PID 1416 wrote to memory of 4324	1416	10029384756.exe	10029384756.exe

C:\Users\Admin\AppData\Local\Temp\10029384756.exe
"C:\Users\Admin\AppData\Local\Temp\10029384756.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Local\Temp\10029384756.exe
  "C:\Users\Admin\AppData\Local\Temp\10029384756.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nskB7F8.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\sindsoprrte.ini

Filesize
40B

MD5
34b6486be479025fb25d832fa829a153

SHA1
a7e5f7f6cfc1004b46181c718a250f603a19ea1c

SHA256
bc3788143aae61e43980462fbb660958db120cf7975a990ce5598bdf80dcf5f3

SHA512
71494342be8989348f9df287a8e6fdb3b850d9d3f6d1f106f2ca75d241da141514ea23530e02d38bee700217792ed18b425f0e143de31731b7858acfc0e07e30

Download Submit
memory/1416-276-0x00000000045E0000-0x00000000076D7000-memory.dmp

Filesize
49.0MB

Download
memory/1416-277-0x0000000077821000-0x0000000077941000-memory.dmp

Filesize
1.1MB

Download
memory/1416-278-0x00000000045E0000-0x00000000076D7000-memory.dmp

Filesize
49.0MB

Download
memory/4324-280-0x00000000007D0000-0x0000000001A24000-memory.dmp

Filesize
18.3MB

Download
memory/4324-279-0x0000000001A30000-0x0000000004B27000-memory.dmp

Filesize
49.0MB

Download
memory/4324-281-0x00000000007D0000-0x0000000000812000-memory.dmp

Filesize
264KB

Download
memory/4324-282-0x0000000037460000-0x0000000037A04000-memory.dmp

Filesize
5.6MB

Download
memory/4324-283-0x0000000037340000-0x00000000373A6000-memory.dmp

Filesize
408KB

Download
memory/4324-285-0x0000000038210000-0x00000000382A2000-memory.dmp

Filesize
584KB

Download
memory/4324-286-0x0000000001A30000-0x0000000004B27000-memory.dmp

Filesize
49.0MB

Download
memory/4324-287-0x00000000382D0000-0x0000000038320000-memory.dmp

Filesize
320KB

Download
memory/4324-288-0x0000000038360000-0x000000003836A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing