agenttesla | 845c7e0dbf037bc7528dce1b3fb517dbdd584a3fdeb85e224069b7061f0f4883

Analysis

max time kernel
89s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20250502-en
resource tags

arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2025, 20:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Orden_NM049300 FERMAXIA.pdf.rar
Size

1.2MB
MD5

c17880bfc903d02a80f6b80e1abaafb4
SHA1

6b28c236aca016d67c705b58f3fee69e09ce920b
SHA256

e375e707631fd52a260161035ef7bf639f1d94338a169c733c6729f73d2eaf8b
SHA512

56e7e0e1d5c7762ea781c7c402db6c0e248ebe9e3cb0123ce9bafd3858091ec317b3bb750533e725071de107605e7b870c3b7868830ea48400b058bbb96ca06a
SSDEEP

24576:Bp6YIm4/bYfz3CgmpifFsIEV21zm/WNB0moL5F3ffr50ZQmx5+dxjuhIxq:BpiKLbfFsZ213NB095FHN0yA5w4Ixq

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.lampadari.gr
Port:
21
Username:
[email protected]
Password:
P8P[uVeJU=vh

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Executes dropped EXE 2 IoCs

pid	Process
2412	Orden_NM049300 FERMAXIA.pdf.exe
836	Orden_NM049300 FERMAXIA.pdf.exe

Loads dropped DLL 3 IoCs

pid	Process
2412	Orden_NM049300 FERMAXIA.pdf.exe
4364	Orden_NM049300 FERMAXIA.pdf.exe
836	Orden_NM049300 FERMAXIA.pdf.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
75	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\servic\lensaftales.exe	Orden_NM049300 FERMAXIA.pdf.exe
File opened for modification	C:\Windows\SysWOW64\servic\lensaftales.exe	Orden_NM049300 FERMAXIA.pdf.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4364	Orden_NM049300 FERMAXIA.pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2412	Orden_NM049300 FERMAXIA.pdf.exe
4364	Orden_NM049300 FERMAXIA.pdf.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\dimensionsstabilt.ini	Orden_NM049300 FERMAXIA.pdf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Strandage\Engangsservicernes.ini	Orden_NM049300 FERMAXIA.pdf.exe
File opened for modification	C:\Program Files (x86)\Common Files\dimensionsstabilt.ini	Orden_NM049300 FERMAXIA.pdf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Strandage\Engangsservicernes.ini	Orden_NM049300 FERMAXIA.pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orden_NM049300 FERMAXIA.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orden_NM049300 FERMAXIA.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orden_NM049300 FERMAXIA.pdf.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3240	7zFM.exe
3240	7zFM.exe
4364	Orden_NM049300 FERMAXIA.pdf.exe
4364	Orden_NM049300 FERMAXIA.pdf.exe
3240	7zFM.exe
3240	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3240	7zFM.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2412	Orden_NM049300 FERMAXIA.pdf.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3240	7zFM.exe
Token: 35	3240	7zFM.exe
Token: SeSecurityPrivilege	3240	7zFM.exe
Token: SeSecurityPrivilege	3240	7zFM.exe
Token: SeDebugPrivilege	4364	Orden_NM049300 FERMAXIA.pdf.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3240	7zFM.exe
3240	7zFM.exe
3240	7zFM.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 2412	3240	7zFM.exe	103
PID 3240 wrote to memory of 2412	3240	7zFM.exe	103
PID 3240 wrote to memory of 2412	3240	7zFM.exe	103
PID 2412 wrote to memory of 4364	2412	Orden_NM049300 FERMAXIA.pdf.exe	107
PID 2412 wrote to memory of 4364	2412	Orden_NM049300 FERMAXIA.pdf.exe	107
PID 2412 wrote to memory of 4364	2412	Orden_NM049300 FERMAXIA.pdf.exe	107
PID 3240 wrote to memory of 836	3240	7zFM.exe	106
PID 3240 wrote to memory of 836	3240	7zFM.exe	106
PID 3240 wrote to memory of 836	3240	7zFM.exe	106
PID 2412 wrote to memory of 4364	2412	Orden_NM049300 FERMAXIA.pdf.exe	107
PID 2412 wrote to memory of 4364	2412	Orden_NM049300 FERMAXIA.pdf.exe	107

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Orden_NM049300 FERMAXIA.pdf.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\7zO8AC4F608\Orden_NM049300 FERMAXIA.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8AC4F608\Orden_NM049300 FERMAXIA.pdf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\7zO8AC4F608\Orden_NM049300 FERMAXIA.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8AC4F608\Orden_NM049300 FERMAXIA.pdf.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- C:\Users\Admin\AppData\Local\Temp\7zO8AC63A78\Orden_NM049300 FERMAXIA.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8AC63A78\Orden_NM049300 FERMAXIA.pdf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:836

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\dimensionsstabilt.ini

Filesize
41B

MD5
27d2c28b0e63d3fd739e20a94d602a95

SHA1
cdba3ea533b1bcb3d58770bd9f84d2620890aabd

SHA256
65d86cb89b14647b6df6f999e79e1ac3c8891b4b541a607abd3eae289f1c91f5

SHA512
646e78f54c8e4be4cd1fd705a478e83a0ce7e54b2a1db36899b681bdd3e4300f88772c8c29a6073dcd24023b6974d7dba86eae19bf82daa410c5674737c44a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Settings.ini

Filesize
50B

MD5
a6216ef9fbe57b11deeb1b1fd840c392

SHA1
e554348623ef9addde2fb3f2742d5cc1ef240ab1

SHA256
edf6c9da71daf3b3da2e89a1bc6b9f4b812f18fc133cf4706a3ae983e4040946

SHA512
af5fdd8419b8384361bbea7600b4da7860771dd974d3b2d747c6e1c4f7e4df49fe4be5fa2320e9041343c8d2ab5912be1cf279b61ed2a96954c1c2ed05aa0122

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2E7F.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
C:\Users\Admin\hundredfold\optativs\Uncontainableness\Olfactometers.Wea

Filesize
511KB

MD5
2f1aded5a3fee0631afaf2d2d1d5715b

SHA1
fa63bbaed99a08e3fc570d471f560d060241d948

SHA256
d2d985e309e4ab647712c03026053af2cce398f88e9453df7eea190d3c4fb596

SHA512
4a08345ff9529709f1beeca10f2878f7be0a185a3a52a2b6194464850c1da7734bf174fc8e0585fe8a762b4430a68e6a6622c5d7bd2dbd374575da0c683c6095

Download Submit
C:\Users\Admin\hundredfold\optativs\Uncontainableness\Waneatta\vikingetid\Prevalent\realised.ini

Filesize
402B

MD5
52d77e755cdd905fe98c8300c244af91

SHA1
ff9699e52085ceebb8c6443dea7764e351c080e7

SHA256
ec36e666f59e94a0b9f762773fe8a0efb0ce0a10b6cee58fa4b48ff370f06d66

SHA512
7b558fdd29653fb8fb20462b208a67f7ddabcb73e29ec8c550a0aee5885eb9bcd8c14c0867f6287ffdfa39279d2f5fa15599da9c4f625aa25556f73823ee1c2b

Download Submit
C:\Users\Admin\hundredfold\optativs\Uncontainableness\Waneatta\vikingetid\Prevalent\terminalia.txt

Filesize
691B

MD5
eb823999f284fded77d8099f8808827f

SHA1
17c064d6424fa6ef8db9ae84de22d6a2b5fcd0d1

SHA256
9789eef1cf06ef0c58f55c84fabed83a7adbb8dca2d7903659580338a8cc39a5

SHA512
c852ece642a5d019c77654f63c772416a07ab0468280d1ff597ee571ca680b2a89e82b96e1154b1ac7da3eeea95eb75d9eb381cb04912d8cc93f4bb62d6a2a1e

Download Submit
C:\Users\Admin\hundredfold\optativs\Uncontainableness\Waneatta\vikingetid\Prevalent\tmmerhandler.pri

Filesize
587KB

MD5
a419b17919db68a326c7371d3c8e8b4a

SHA1
662d1d5aa4ea08562c23f35df855652f5512eb3b

SHA256
a9ed7d69860da9e6197338d570e3f0efb6e7d79102312924a7d52fcd2a496d5e

SHA512
40aa74368582d51b840d4e7fc0c2ccd6b72a8fdd8b0cf7eca9efecbee62f6f5ece17d20994012d8c031396a096e937868a7b23be5a148d92ae634d559b08f2d6

Download Submit
C:\Users\Admin\hundredfold\optativs\Uncontainableness\Waneatta\vikingetid\enteroptosis.rek

Filesize
416KB

MD5
e7eced2bed1ec9676dd95ce41aa04aa5

SHA1
83bcea69c7b03b26c67fc13bd7e0d1a941d3eef0

SHA256
179ad988d40fc1bd891e6672704bc9f5b0e9f3ddf2a6e5af4cc2856e19906f23

SHA512
5767103dd94b05ec9ff4d6db802b2ae83fbf708eace192922cbbb7f5928a932598a30a818687394c2ec8acaa2c3ecd0cc8435f42805f79661e5ea3e5891ed728

Download Submit
C:\Users\Admin\hundredfold\optativs\Uncontainableness\Waneatta\vikingetid\fdestedskriterium.ini

Filesize
444B

MD5
0633fd2a9c4a93c00580d86e53bd26d2

SHA1
b8e982add99a937019f2ae2150ce133a5fa52bba

SHA256
6a31c758ac6e348c10c2d57fc873097d6191036c7fe8e631a24f17edd0807255

SHA512
f8434b1514f64978eeca055f2271f57329bf5983f82e78977a177cf38502319804b055820636b9a62588907622cfd7e88782834280c1221f8dbedc8ddcaa04b5

Download Submit
memory/2412-47-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/2412-46-0x0000000077B01000-0x0000000077C21000-memory.dmp

Filesize
1.1MB

Download
memory/2412-36-0x0000000077B01000-0x0000000077C21000-memory.dmp

Filesize
1.1MB

Download
memory/4364-94-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/4364-96-0x0000000000460000-0x00000000004A2000-memory.dmp

Filesize
264KB

Download
memory/4364-97-0x0000000037E30000-0x00000000383D4000-memory.dmp

Filesize
5.6MB

Download
memory/4364-98-0x0000000000100000-0x0000000000166000-memory.dmp

Filesize
408KB

Download
memory/4364-99-0x0000000038C40000-0x0000000038C90000-memory.dmp

Filesize
320KB

Download
memory/4364-100-0x0000000038C90000-0x0000000038D22000-memory.dmp

Filesize
584KB

Download
memory/4364-101-0x0000000038D70000-0x0000000038D7A000-memory.dmp

Filesize
40KB

Download