agenttesla | a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee | Triage

Sharing

General

Target

a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee
Size

870KB
Sample

240627-qvrm3atdqd
MD5

95dc64015aa43a27412f7ff0979c5b87
SHA1

bde0ae97f4f98c0dd8a0833702ff073befbec268
SHA256

a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee
SHA512

450a8ba7eb3c3178b5567b692d55518d393af5d971bb22ab13e1c9078c9ea389f1a9e28d391a8882ef8d1b99972ec27af64fa2c7aa8fa79c9c0d2423d0176d10
SSDEEP

12288:XcIjd3nQIQsk3na+QiLPTEYLwdLh5d2tqnXQJgcCp8vGiVIkk84n5QWrV:XcIjUna3iLtwb/2tWXMi2rq7nHB

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.epressong.com
Port:
587
Username:
[email protected]
Password:
nFMLKCvO3
Email To:
[email protected]

Targets

- Target
  
  a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee
- Size
  
  870KB
- MD5
  
  95dc64015aa43a27412f7ff0979c5b87
- SHA1
  
  bde0ae97f4f98c0dd8a0833702ff073befbec268
- SHA256
  
  a7d2ea641dbc8e50000e6b42c9cca200fa25d5e37ddd1857eb489795ab5564ee
- SHA512
  
  450a8ba7eb3c3178b5567b692d55518d393af5d971bb22ab13e1c9078c9ea389f1a9e28d391a8882ef8d1b99972ec27af64fa2c7aa8fa79c9c0d2423d0176d10
- SSDEEP
  
  12288:XcIjd3nQIQsk3na+QiLPTEYLwdLh5d2tqnXQJgcCp8vGiVIkk84n5QWrV:XcIjUna3iLtwb/2tWXMi2rq7nHB
Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  55a26d7800446f1373056064c64c3ce8
- SHA1
  
  80256857e9a0a9c8897923b717f3435295a76002
- SHA256
  
  904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
- SHA512
  
  04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b
- SSDEEP
  
  192:MPtkumJX7zBE2kGwfy9S9VkPsFQ1Mx1c:97O2k5q9wA1Mxa
Score

3^/10
behavioral3 behavioral4
- Target
  
  Absorbable.sul
- Size
  
  816KB
- MD5
  
  6593de223564535ce11d13bfb74348ca
- SHA1
  
  5d85af6a3877470118ddac318a131c7eb2498bb2
- SHA256
  
  a57cb464f48b61e87ed20832f2d6eae93c2669bb13850cb6186248e9b597364c
- SHA512
  
  f0b85a3f75268cb4b08ff7fc18a631acc4c1d9e8aca804b9ed8dfc186789bf930467f1c2ae2dcc769ac200557d4ff01abda80ea17ce622488d56c264d2941e3f
- SSDEEP
  
  768:ONjfRwbxYsn1KxrM/MRos6Yumut+ud9j4f7lzZnMkviwCdR/S9krIXLtZkCoVf/1:Q/5y
Score

3^/10
behavioral5 behavioral6
- Target
  
  Beskikningers/Misaimed.Vin
- Size
  
  20KB
- MD5
  
  b326cb8d03a7af828a6347addcb5a9d1
- SHA1
  
  1f7f57aa5763b004d3198597eb80208aa0e93570
- SHA256
  
  a9cd23eb35c039440bde74a206ac3613b52fd667aa1484125587e61c79912dfc
- SHA512
  
  57999de9a99336db3a7b9aff3c69295bda2514374187e0b0c0082f21b68101530b17a0d5a23157584303c505f82c3d441360b91649a39ec2a20ca6d890e8d126
- SSDEEP
  
  384:lUOZNanrJF8+6XhYz5zYHsP9R/wWb1ml2EM:JiT8+MadPEWJOc
Score

3^/10
behavioral7 behavioral8
- Target
  
  Beskikningers/Randon17.vgr
- Size
  
  1.0MB
- MD5
  
  7978bf27082616faade55b22394bbddc
- SHA1
  
  3cb41f03b1cd775f7f6bc9b95944854dda87bf36
- SHA256
  
  b88a13eb0eedb9be6e1f809d0b8a55979186db208858fedce5a59b28556b248b
- SHA512
  
  9a734b8285c96706c434aedf2abf6666e82ec257defab74213c50b18a5c7b23b3a48d76fe64e4cc6446cc460095cea3f37d8029fa28b9198f4a371ba1c23922b
- SSDEEP
  
  768:DfIbQMnX/cgMWndUtQ//KuGQ+4xRoQoezjVn20Ka17J6T0vbXHtPSeySgSJSejnK:VIbm
Score

3^/10
behavioral10 behavioral9
- Target
  
  Beskikningers/keelhauls.scr
- Size
  
  1.0MB
- MD5
  
  87a3ce82a211e6022d7145c99eef5edc
- SHA1
  
  d2aa5daef3272acdee40657353ebb0ba94728e8d
- SHA256
  
  66bf6c84307739696eb18d632b6a34755375e61f3c612dc273c7f8f25fcad938
- SHA512
  
  66f2bc1530f6d187749486c7305f069d67964ef5427a6a59f2dc081469f5d608c6e0d2c30edef70a6a79e6386be1528ae2b8725ba704e2d3cf8b2f303d8eb1cf
- SSDEEP
  
  768:N9lotXK6U6HA/zmsIxzvraRwfj+iMbmwrhg2hnwjYBm2GOP9bsWZafCJL6Ir7wxG:QRPMLzJ
Score

1^/10
behavioral11 behavioral12
- Target
  
  Beskikningers/primaveksel.txt
- Size
  
  442B
- MD5
  
  87308607bbefdd32639f5bcad963b8c2
- SHA1
  
  14a3196b8301243120bd7f9248c5949d718b4dea
- SHA256
  
  a71bd44ca8efda96ba1083d1d36fc2148592ca881cff674c71b7742a1866b012
- SHA512
  
  9019036c6976f9a8ba0f6d5fde538ffa69c537a320cf09758e2ceb9012f4c106e4d09b15248ca0a695dc7960ffbbf500ff21bd3a17ebd37fe3de13a0bbc8ea5e
Score

1^/10
behavioral13 behavioral14
- Target
  
  Beskikningers/skohornet.ser
- Size
  
  1.1MB
- MD5
  
  11825dab7ecea24188448d6de7d605a5
- SHA1
  
  90cc6eec53823cdb2e1946583042699b42c84bff
- SHA256
  
  e9f3ca77c307a76c115171b367b540d2615f30636a16ee986c852aef5eab6409
- SHA512
  
  6f0f808de0dadd0f8e94df72e1a85828f0bd8e14fb8f4300614901a17c260af55cfe33ec473fef34663e8b069bf19306eb32d38e39e60149bd85d83d14c23749
- SSDEEP
  
  768:zrTEDgAwUGxcEEBSF2XVHcg/62u6BEqlktC9le+FplzUtaPQVPKtoQFrqFrepOde:TM2gnM9
Score

3^/10
behavioral15 behavioral16
- Target
  
  Beskikningers/temperatures.ref
- Size
  
  697KB
- MD5
  
  17df408e712c3359e4b58f95e4529f16
- SHA1
  
  75203c6b467a1174b41dfefe3795a9b87331808e
- SHA256
  
  35d50d71afa6b8169123458a8232cde1e3d96e3a0e6734045714192b0930d1aa
- SHA512
  
  7fa7600651ce103dd3f5143036e5ee6b5b3262555d331761bd426898990a6b314e25a018e4b16b395e86e0a023b24df3796744860e6478efbfa190ebadbc4253
- SSDEEP
  
  768:eLtWEAnNzz6fiBH4r4D2EBct2GaDNHpDe9SM1hon+wFniYgoZhgBy9:Q
Score

3^/10
behavioral17 behavioral18
- Target
  
  Besttelsestropper.Hov
- Size
  
  272KB
- MD5
  
  f8863d882553a6efb3cb6111e7b13e3b
- SHA1
  
  c1079473474483560740fd299e53e9d4f7394b2e
- SHA256
  
  7e7cd7ae34b03ce558793e91faeba688e1d6bfd8753faff3d60f0bfdcafb4e75
- SHA512
  
  8d4951d30e3774e638cb93d24ad40b0fb738f08939cf30f1d60626277c90f5318f9fa2c5b322be12dbfbb8e7cb869d03d01138a112ebb1c041d3e533a10e1b32
- SSDEEP
  
  6144:EBIUbXTygOPJfDSn/ixkc0Ll9yCnYV8bws3fy4B:XkXOZxbakkc0Ll9QsY4B
Score

3^/10
behavioral19 behavioral20

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

behavioral2

guloaderdownloader

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20