agenttesla | 81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478

Analysis

max time kernel
147s
max time network
69s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe
Size

760KB
MD5

e66902c532dd0fd4f019200e4599f17c
SHA1

6306e266e3d9dcd3671aa81f77bb7502e3ae76ff
SHA256

81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478
SHA512

bfc0fb98f0921f370e55fc8d9ad8cd79c0280e0de9e6a49fb28cac5eebdf28e6bf14c5f1b94c23405dd387e5495c5f754568b20600ee7fd449a123a14a3b756d
SSDEEP

12288:9s6eULcXcekO8cHzf2l4t5musvXsD6En3kV117Dd:MMetHzf2l4KvXgn3kJ7Dd

Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 6 IoCs

pid	Process
2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe
2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe
2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe
2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe
2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe
2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
6	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2620	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe
2620	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2592 set thread context of 2620	2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2620	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe
2620	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2620	2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe	30
PID 2592 wrote to memory of 2620	2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe	30
PID 2592 wrote to memory of 2620	2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe	30
PID 2592 wrote to memory of 2620	2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe	30
PID 2592 wrote to memory of 2620	2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe	30
PID 2592 wrote to memory of 2620	2592	81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe	30

C:\Users\Admin\AppData\Local\Temp\81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe
"C:\Users\Admin\AppData\Local\Temp\81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe
  "C:\Users\Admin\AppData\Local\Temp\81c7f5b291b1fcd6d64f7f12208b0134a8462f156dbda97188ec0ba5ff869478.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsuDE11.tmp\LangDLL.dll

Filesize
5KB

MD5
174708997758321cf926b69318c6c3f5

SHA1
645488089bf320f6864e0d0bc284c85216e56fbd

SHA256
f577b66492e97c7b8bf515398d8deb745abafd74f56fc03e67fce248ebbeb873

SHA512
214433597e04ca1ff9b4fe092d5d2997707a7c56f0f82c85d586088a200e4455028f3b9427d87b4f06f9252557d5be4b7a9138ea6a8d045df6209421fd8ca054

Download Submit
\Users\Admin\AppData\Local\Temp\nsuDE11.tmp\System.dll

Filesize
11KB

MD5
0ff2d70cfdc8095ea99ca2dabbec3cd7

SHA1
10c51496d37cecd0e8a503a5a9bb2329d9b38116

SHA256
982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b

SHA512
cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e

Download Submit
memory/2592-33-0x00000000030D0000-0x00000000042DA000-memory.dmp

Filesize
18.0MB

Download
memory/2592-34-0x00000000030D0000-0x00000000042DA000-memory.dmp

Filesize
18.0MB

Download
memory/2592-35-0x00000000772F1000-0x00000000773F2000-memory.dmp

Filesize
1.0MB

Download
memory/2592-36-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/2592-38-0x00000000030D0000-0x00000000042DA000-memory.dmp

Filesize
18.0MB

Download
memory/2620-37-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/2620-39-0x00000000004B0000-0x0000000001512000-memory.dmp

Filesize
16.4MB

Download
memory/2620-40-0x00000000004B0000-0x00000000004F2000-memory.dmp

Filesize
264KB

Download