agenttesla | 845c7e0dbf037bc7528dce1b3fb517dbdd584a3fdeb85e224069b7061f0f4883

General

Target

Orden_NM049300 FERMAXIA.pdf.exe
Size

139.0MB
MD5

f401a397d3c7b5a1085b07e0af7ec1f1
SHA1

595764cfd5c9c3879b67654715cb61e29d96d2f1
SHA256

6625cf920ee3eff3570c976c4dd2ce2bd603ab7b5982b413f691b931a80df134
SHA512

f6c83fd9863bd4d90493d6010eb87fe52c04bc564189471ce352660e5041df06704448a55c48864b05c580308adf4df34a608094487e385f1794bc1a1bfec04d
SSDEEP

24576:Jhl1uwXZu1sz7qxCbNFJoL2Ia0lit0moAp3nadNxkrDKWyD71yClk:Dlow37Lb3JoKIa0DmnnadNae1/lk

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.lampadari.gr
Port:
21
Username:
[email protected]
Password:
P8P[uVeJU=vh

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Loads dropped DLL 1 IoCs

pid	Process
2788	Orden_NM049300 FERMAXIA.pdf.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\servic\lensaftales.exe	Orden_NM049300 FERMAXIA.pdf.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2160	Orden_NM049300 FERMAXIA.pdf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2788	Orden_NM049300 FERMAXIA.pdf.exe
2160	Orden_NM049300 FERMAXIA.pdf.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\dimensionsstabilt.ini	Orden_NM049300 FERMAXIA.pdf.exe
File opened for modification	C:\Program Files (x86)\Common Files\Strandage\Engangsservicernes.ini	Orden_NM049300 FERMAXIA.pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orden_NM049300 FERMAXIA.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orden_NM049300 FERMAXIA.pdf.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2160	Orden_NM049300 FERMAXIA.pdf.exe
2160	Orden_NM049300 FERMAXIA.pdf.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2788	Orden_NM049300 FERMAXIA.pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	Orden_NM049300 FERMAXIA.pdf.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2160	2788	Orden_NM049300 FERMAXIA.pdf.exe	99
PID 2788 wrote to memory of 2160	2788	Orden_NM049300 FERMAXIA.pdf.exe	99
PID 2788 wrote to memory of 2160	2788	Orden_NM049300 FERMAXIA.pdf.exe	99
PID 2788 wrote to memory of 2160	2788	Orden_NM049300 FERMAXIA.pdf.exe	99
PID 2788 wrote to memory of 2160	2788	Orden_NM049300 FERMAXIA.pdf.exe	99

C:\Users\Admin\AppData\Local\Temp\Orden_NM049300 FERMAXIA.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Orden_NM049300 FERMAXIA.pdf.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\Orden_NM049300 FERMAXIA.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Orden_NM049300 FERMAXIA.pdf.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsz5DA3.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
memory/2160-30-0x000000007217E000-0x000000007217F000-memory.dmp

Filesize
4KB

Download
memory/2160-32-0x0000000037DC0000-0x0000000038364000-memory.dmp

Filesize
5.6MB

Download
memory/2160-40-0x0000000072170000-0x0000000072920000-memory.dmp

Filesize
7.7MB

Download
memory/2160-26-0x0000000076FE8000-0x0000000076FE9000-memory.dmp

Filesize
4KB

Download
memory/2160-27-0x0000000077005000-0x0000000077006000-memory.dmp

Filesize
4KB

Download
memory/2160-29-0x0000000076F61000-0x0000000077081000-memory.dmp

Filesize
1.1MB

Download
memory/2160-28-0x0000000000460000-0x00000000016B4000-memory.dmp

Filesize
18.3MB

Download
memory/2160-39-0x000000007217E000-0x000000007217F000-memory.dmp

Filesize
4KB

Download
memory/2160-38-0x0000000038D70000-0x0000000038D7A000-memory.dmp

Filesize
40KB

Download
memory/2160-33-0x0000000037D00000-0x0000000037D66000-memory.dmp

Filesize
408KB

Download
memory/2160-31-0x0000000000460000-0x00000000004A2000-memory.dmp

Filesize
264KB

Download
memory/2160-34-0x0000000072170000-0x0000000072920000-memory.dmp

Filesize
7.7MB

Download
memory/2160-36-0x0000000038C40000-0x0000000038C90000-memory.dmp

Filesize
320KB

Download
memory/2160-37-0x0000000038C90000-0x0000000038D22000-memory.dmp

Filesize
584KB

Download
memory/2788-25-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download
memory/2788-23-0x0000000076F61000-0x0000000077081000-memory.dmp

Filesize
1.1MB

Download
memory/2788-24-0x0000000076F61000-0x0000000077081000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing