agenttesla | e6f324fbaefc81fccbdfe6fed5149208f57f433648f060aed9dad2e5e6e41914

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document_PDF.scr
Size

1.1MB
MD5

413cae37425edcce276f91625c47b2a3
SHA1

81d012baa1f6942e91e4ef572d10216449f3d031
SHA256

e6f324fbaefc81fccbdfe6fed5149208f57f433648f060aed9dad2e5e6e41914
SHA512

1aef7b5dd04a0fe7f74514ca5ba702d667c921326102c02fbeead32a49b8b95338b88f4ad3062fc44679dfc55c54c96b00078b50a7d7bca52a9289173b21bab6
SSDEEP

12288:SgvDFlHAhy4T2sEfc5hWjVWGl85ukYm27iFBKb2VlpylaU0zmcHq3lBwD7DpVs:SgvmDasqc4lJS2FOdmcHZfD0

Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://176.65.142.225
Port:
21
Username:
Val
Password:
Val56@@

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 2 IoCs

pid	Process
2756	Document_PDF.scr
2756	Document_PDF.scr

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2692	Document_PDF.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2756	Document_PDF.scr
2692	Document_PDF.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Document_PDF.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Document_PDF.scr

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	Document_PDF.scr
2692	Document_PDF.scr

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2756	Document_PDF.scr

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	Document_PDF.scr

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2692	2756	Document_PDF.scr	93
PID 2756 wrote to memory of 2692	2756	Document_PDF.scr	93
PID 2756 wrote to memory of 2692	2756	Document_PDF.scr	93
PID 2756 wrote to memory of 2692	2756	Document_PDF.scr	93

C:\Users\Admin\AppData\Local\Temp\Document_PDF.scr
"C:\Users\Admin\AppData\Local\Temp\Document_PDF.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\Document_PDF.scr
  "C:\Users\Admin\AppData\Local\Temp\Document_PDF.scr" /S
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsa87B0.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa87B1.tmp\System.dll

Filesize
12KB

MD5
6e55a6e7c3fdbd244042eb15cb1ec739

SHA1
070ea80e2192abc42f358d47b276990b5fa285a9

SHA256
acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

SHA512
2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa8800.tmp

Filesize
15B

MD5
aec87a5b696e973fd725cfd7fccef0bb

SHA1
4c0cd9bd8adbc7ad00627bc192c73d3aa23f0f02

SHA256
a48c987be1252d84c855810b44ad498f5ab67b9b8bfea471b0e1ec5a7f480fc9

SHA512
8cf3daf380683412911f7d0719c48a9ffa313d09016f6c811f41a16416ad0c3abba2cd34a57ca912ca1853b12665824732a480ec15f127a33aa1476d7479d499

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa8800.tmp

Filesize
14B

MD5
4916cd6b7dda05c7a23b1d31d796ed7b

SHA1
a999776c87fb3bc6fc6390469c79ec302ee2410f

SHA256
fbd1ae27c78de7d1be52844bfb664657c23dc7a39dc32126f422e26ef472b954

SHA512
db2e17ed849245ab83db878e80b743fd1967f8609793be2736e300d683f9484e61c83fdab089fdf39aca4d196513d7afe65ec7d37964a162852a3f372e39d051

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa8800.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl8841.tmp

Filesize
56B

MD5
881a2cbb01a1ab170406b55df8faa5ae

SHA1
68ad93e65e4cb3a01b3baeb9646194317fe001d3

SHA256
f81ca7d48402c14099e81aaf508a34a5ee0135e45b67f719d8d4f4baded51c5a

SHA512
e09a2fb5151c99245c4ba3c04dbb2ddae5db1139b54059ebd2ffc891747beb533878b74b3e0edbd6a84b779ec201f4c14eb094c73c870d10ce3b9c900ba85c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl8890.tmp

Filesize
8B

MD5
0aff9fdb7bae79c535cbdbb7f3ecb028

SHA1
cb32be0ca11c3fb6ede60d578af91f0aa21af6e5

SHA256
09db256670b92566a3108f5913d78b8b872c473340abf48cda2af7ca33cec3df

SHA512
f52bb5b8846dadea41f8951a40258813d6c3f40328996945c23c6f4588e7e8bb5bbdd7f83bf0da45b123c14a1c826dd7e4f8439bbe4a9888d238848222530995

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl8890.tmp

Filesize
15B

MD5
232ea7835f5abeffc769949d0bad82bf

SHA1
d8183e34d3c48afb0f7598a4dc11182218d7e9fe

SHA256
384e1fc0d130aa5cbfa9077f6de89b555e096afb67cd2dd827933b992549e69c

SHA512
e552cc1f310029859899ab726b70ef38c08026af5e0c125c58e9b31005d8c2fd2d636d8bb3aaf8a039aa3450f058c038186da34b63e883e3613049a6df6905e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl8890.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8811.tmp

Filesize
31B

MD5
8c8bd8fbb6a3ff7be942ec768c031902

SHA1
d94bbd2ef0615130301ec46f35d22d04dd1a13da

SHA256
f497a2c267e1afd9509b93578e15948f1a02683814029488eefe20318cea0df8

SHA512
1b8dc486827a1410b1f1295327932c96c9b5be44faf714a7900417f10f53936c4d928da46cd476bc8f96e712cbbe730c34724d617c472105631a40293b861293

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8811.tmp

Filesize
37B

MD5
563768a83c7d42671ed6b76fed512bb2

SHA1
6ba15996112223b9615ca414a15a5d6dae977592

SHA256
a53459f8100c4617dea2cff756780c3c743388c4bb14febf3f17d30b064903e3

SHA512
fe1608ee1199aa8d2884d9112f53f4e51f516697f8b04b783cacc846084587ba5fa9f884627c973fb97ef2216f2c7fd046ff169ec8c9f7ddcde0b72899782cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq8811.tmp

Filesize
60B

MD5
4f711c6ddc2cb072ada25e192bd0d082

SHA1
cda3ac7d0014678fb58c63d447ba3bdf728f7119

SHA256
b47085b6f5aa283e236c155ff4e297265b081261f405a769e749bdd5160a2fcb

SHA512
f1b3a924bf80f69e7a0244a22a9be5ef65cba5673593bc8d1d3bc7030bae03395ef8fbfe874f69160009408cf2b30e7d8042f328df0f2e2f6fdaaf0cde05ef4a

Download Submit
memory/2692-581-0x0000000001730000-0x000000000388A000-memory.dmp

Filesize
33.4MB

Download
memory/2692-586-0x00000000374B0000-0x0000000037542000-memory.dmp

Filesize
584KB

Download
memory/2692-589-0x0000000077241000-0x0000000077361000-memory.dmp

Filesize
1.1MB

Download
memory/2692-572-0x0000000001730000-0x000000000388A000-memory.dmp

Filesize
33.4MB

Download
memory/2692-573-0x0000000077241000-0x0000000077361000-memory.dmp

Filesize
1.1MB

Download
memory/2692-574-0x00000000772C8000-0x00000000772C9000-memory.dmp

Filesize
4KB

Download
memory/2692-575-0x00000000772E5000-0x00000000772E6000-memory.dmp

Filesize
4KB

Download
memory/2692-579-0x0000000001730000-0x000000000388A000-memory.dmp

Filesize
33.4MB

Download
memory/2692-580-0x00000000004D0000-0x0000000001724000-memory.dmp

Filesize
18.3MB

Download
memory/2692-588-0x0000000036820000-0x000000003682A000-memory.dmp

Filesize
40KB

Download
memory/2692-582-0x00000000004D0000-0x0000000000512000-memory.dmp

Filesize
264KB

Download
memory/2692-583-0x00000000368C0000-0x0000000036E64000-memory.dmp

Filesize
5.6MB

Download
memory/2692-584-0x00000000343B0000-0x0000000034416000-memory.dmp

Filesize
408KB

Download
memory/2692-587-0x0000000036840000-0x0000000036890000-memory.dmp

Filesize
320KB

Download
memory/2756-570-0x0000000077241000-0x0000000077361000-memory.dmp

Filesize
1.1MB

Download
memory/2756-569-0x00000000030E0000-0x000000000523A000-memory.dmp

Filesize
33.4MB

Download
memory/2756-571-0x00000000746E5000-0x00000000746E6000-memory.dmp

Filesize
4KB

Download