agenttesla | e6f324fbaefc81fccbdfe6fed5149208f57f433648f060aed9dad2e5e6e41914

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document_PDF.scr
Size

1.1MB
MD5

413cae37425edcce276f91625c47b2a3
SHA1

81d012baa1f6942e91e4ef572d10216449f3d031
SHA256

e6f324fbaefc81fccbdfe6fed5149208f57f433648f060aed9dad2e5e6e41914
SHA512

1aef7b5dd04a0fe7f74514ca5ba702d667c921326102c02fbeead32a49b8b95338b88f4ad3062fc44679dfc55c54c96b00078b50a7d7bca52a9289173b21bab6
SSDEEP

12288:SgvDFlHAhy4T2sEfc5hWjVWGl85ukYm27iFBKb2VlpylaU0zmcHq3lBwD7DpVs:SgvmDasqc4lJS2FOdmcHZfD0

Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://176.65.142.225
Port:
21
Username:
Val
Password:
Val56@@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
1344	Document_PDF.scr
1344	Document_PDF.scr

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
808	Document_PDF.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1344	Document_PDF.scr
808	Document_PDF.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Document_PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Document_PDF.scr

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
808	Document_PDF.scr
808	Document_PDF.scr

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1344	Document_PDF.scr

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	808	Document_PDF.scr

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 808	1344	Document_PDF.scr	90
PID 1344 wrote to memory of 808	1344	Document_PDF.scr	90
PID 1344 wrote to memory of 808	1344	Document_PDF.scr	90
PID 1344 wrote to memory of 808	1344	Document_PDF.scr	90

C:\Users\Admin\AppData\Local\Temp\Document_PDF.scr
"C:\Users\Admin\AppData\Local\Temp\Document_PDF.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\Document_PDF.scr
  "C:\Users\Admin\AppData\Local\Temp\Document_PDF.scr" /S
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa3F8B.tmp

Filesize
50B

MD5
2216084b6a73d95017a9f19fe4ea90b3

SHA1
c0b17c0ef6ce6dc6843efc256123c1e2328fb5d7

SHA256
6466410a38bbf5d826b36d189c43f135c1cad5df289156fd8e2f26d655757550

SHA512
ba297fa9f33b8ec39fa764f3154929971d5a87dabedd7ba7f24286dbc09f1ac4d4617f0b40e2c5b393c693a87693b94f1c8522eed9e406afd1f50ad4af1c3930

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa3F8B.tmp

Filesize
54B

MD5
9a713b22b9b19699028866ca422a29dd

SHA1
8e649e64808e6295e09bd099d5e8f68810eb07a1

SHA256
ed78ce82873035c34c91e7d257f95bf733a9cad48bf31348c4a443fc741c6cf3

SHA512
57d3262e0f4251a9e1169be68c45bd5a8e7895aba7fee444863f1c25c05b8d7754a9d60c68ad59d6d4ccc522d038d4e3244d91a1598ef169de8766334e7afffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa3F8B.tmp

Filesize
60B

MD5
4f711c6ddc2cb072ada25e192bd0d082

SHA1
cda3ac7d0014678fb58c63d447ba3bdf728f7119

SHA256
b47085b6f5aa283e236c155ff4e297265b081261f405a769e749bdd5160a2fcb

SHA512
f1b3a924bf80f69e7a0244a22a9be5ef65cba5673593bc8d1d3bc7030bae03395ef8fbfe874f69160009408cf2b30e7d8042f328df0f2e2f6fdaaf0cde05ef4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3F0B.tmp

Filesize
14B

MD5
2f18f8f3b6d27674881e055d03e7e356

SHA1
7f6bb8aa1fa32dfb63b1da03d45c9aad694eeaf2

SHA256
7a9d5de32c67cb645d31b7d278cee322b643f98342a2d3b350bef4477a806d1a

SHA512
8d9ee0a92f9a0b15213eab47d1cab60258bf34b82664b4744e130d23a7a28d895c687322ae670d04168e3897f31da50999ea12a2c7f730d22be1fc363ef13631

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3F0B.tmp

Filesize
24B

MD5
42e9d16f22a223f11084f22b94b42210

SHA1
7f4dcba6193c831687f6a1cac9b60231be8a6a1a

SHA256
0717d3c2c8ad4b25752e43514cd4352de08c51bb9a8d153beb842dd421677b91

SHA512
a965c1381a0179e1bb1600fed3065741ebacc8c1e0a73db5d0db4eddbe5a45ec42cbd489a525d5c5151f52188daf367d0740e6555d9e41c1385a2fed4b7a6ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3F0B.tmp

Filesize
30B

MD5
1ef630a300aa83be06f631ae4caafaaa

SHA1
d6f50f255a7a2c875b9a2e72f9fe0e3555d7d0a9

SHA256
1886befe7455fcda2daf5715f2b768e012a1d6debe288fa5feb4e523fd4f52d4

SHA512
05b243bd5bfcc6445cf75d3ce9786761a1bf88850d6232e988956f1f5975fb5de1e801fdb8ccb8c8baa340080c4a51817943eba07d3ca07c1d8bf8d7f66f160e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3F0B.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3F0C.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3F5B.tmp

Filesize
9B

MD5
2b3884fe02299c565e1c37ee7ef99293

SHA1
d8e2ef2a52083f6df210109fea53860ea227af9c

SHA256
ae789a65914ed002efb82dad89e5a4d4b9ec8e7faae30d0ed6e3c0d20f7d3858

SHA512
aeb9374a52d0ad99336bfd4ec7bb7c5437b827845b8784d9c21f7d96a931693604689f6adc3ca25fad132a0ad6123013211ff550f427fa86e4f26c122ac6a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3F5B.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf3F5B.tmp

Filesize
43B

MD5
861b54f1598ea66927bfe815c60b07bf

SHA1
05ed884e4bbf1b3f5564849ea66130977618f482

SHA256
5c9b9d544efddd32a858390c7f0f7123f4b06e201de44f6e59397d49bac23f42

SHA512
ff5b0a987698f4510e63d63ab6ee8738deda76b8b858d989b951918ee388f63519528afd76e521c16b0e8559939c184e05cb1be33fb4af49e026cb27c57fdd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3FCB.tmp

Filesize
24B

MD5
942a0add5de9c46c9874a72eba3ce9f6

SHA1
c51748200f0e8ff506ca5d9878573146be220491

SHA256
3d42f06595afec189d9167ecf58d0da6c8294c155e9fc364d8fe8bdcdf25bc89

SHA512
1813eba450ea8bb385b0da7ce4b54a196df7d8b8fb8e79ee9a8161aad31ba7e9e082a337e08c5f09aa19d48a19c1d3c20596893017f350dec28bab36b1366800

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3FCB.tmp

Filesize
47B

MD5
6dfca908bfb0a74bc7b442fbb5ba7e59

SHA1
7464429688143e7b08890afe87f6ebcec681d653

SHA256
462e88eb74b5a3d378519ed28b0d148e77cb3d9f514b67f60e9ffdd0117f2467

SHA512
ea352dc8069b41d29607d043d90ce8c83e864ec791a2df12afdab80a2cba413f8bbad728c46a37bdb75b3557a9c5faf7d439417c4fb04b0f3efeb2be2c7c19e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3FCB.tmp

Filesize
56B

MD5
881a2cbb01a1ab170406b55df8faa5ae

SHA1
68ad93e65e4cb3a01b3baeb9646194317fe001d3

SHA256
f81ca7d48402c14099e81aaf508a34a5ee0135e45b67f719d8d4f4baded51c5a

SHA512
e09a2fb5151c99245c4ba3c04dbb2ddae5db1139b54059ebd2ffc891747beb533878b74b3e0edbd6a84b779ec201f4c14eb094c73c870d10ce3b9c900ba85c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv400A.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
memory/808-581-0x00000000004D0000-0x0000000000512000-memory.dmp

Filesize
264KB

Download
memory/808-580-0x0000000001730000-0x000000000388A000-memory.dmp

Filesize
33.4MB

Download
memory/808-588-0x0000000077D21000-0x0000000077E41000-memory.dmp

Filesize
1.1MB

Download
memory/808-572-0x0000000001730000-0x000000000388A000-memory.dmp

Filesize
33.4MB

Download
memory/808-573-0x0000000077DA8000-0x0000000077DA9000-memory.dmp

Filesize
4KB

Download
memory/808-574-0x0000000077DC5000-0x0000000077DC6000-memory.dmp

Filesize
4KB

Download
memory/808-587-0x0000000037520000-0x000000003752A000-memory.dmp

Filesize
40KB

Download
memory/808-578-0x0000000001730000-0x000000000388A000-memory.dmp

Filesize
33.4MB

Download
memory/808-586-0x00000000374A0000-0x00000000374F0000-memory.dmp

Filesize
320KB

Download
memory/808-579-0x00000000004D0000-0x0000000001724000-memory.dmp

Filesize
18.3MB

Download
memory/808-582-0x0000000036650000-0x0000000036BF4000-memory.dmp

Filesize
5.6MB

Download
memory/808-583-0x0000000036560000-0x00000000365C6000-memory.dmp

Filesize
408KB

Download
memory/808-585-0x00000000373E0000-0x0000000037472000-memory.dmp

Filesize
584KB

Download
memory/1344-569-0x0000000002FA0000-0x00000000050FA000-memory.dmp

Filesize
33.4MB

Download
memory/1344-570-0x0000000077D21000-0x0000000077E41000-memory.dmp

Filesize
1.1MB

Download
memory/1344-571-0x00000000751C5000-0x00000000751C6000-memory.dmp

Filesize
4KB

Download