agenttesla | 3c1d75070302ac6b9ae87a6f8e7fa5868ec54113cf0b4f44b4d702d8e11196ce | Triage

Submit
Reports

Overview

overview

Static

static

3

1669d57e8c...0b.exe

windows7-x64

1669d57e8c...0b.exe

windows10-2004-x64

Sharing

General

Target

31cbb0ad4fbff526978c68212a36fb90.bin
Size

1.0MB
Sample

240701-bwhn8avhkl
MD5

f0f4b672136fa5858992257e4be40dbf
SHA1

d52b296a5a77bb8f90c3afa80df032c3f80ae8d4
SHA256

3c1d75070302ac6b9ae87a6f8e7fa5868ec54113cf0b4f44b4d702d8e11196ce
SHA512

1e114b3fd716a51befed13edfc772f02e6f8a5a911aa722bef94f4a2c4d2f33e9071e9fad99ae7bdf384f77f589b7e946801ecd4c148232c6d2eb4b2c003ef1e
SSDEEP

24576:3k3GbOMJSTK8q9cjMfDyNLBlix3dpK1lNqtHHR8KfWFukjK:YJTQ9tYLBsdpeaxuxjK

Score

10^/10

agenttesla redline xworm foz execution infostealer keylogger rat spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe

Resource

win7-20240508-en

agenttesla redline xworm foz execution infostealer keylogger rat spyware stealer trojan

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe

Resource

win10v2004-20240226-en

agenttesla redline xworm foz execution infostealer keylogger rat spyware stealer trojan

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

xworm

Version

5.0

C2

195.10.205.94:7725

Mutex

rliv2fMggtmcxYMM

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759
Email To:
[email protected]

Extracted

Family

redline

Botnet

foz

C2

209.90.234.57:1913

Targets

- Target
  
  1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe
- Size
  
  2.2MB
- MD5
  
  31cbb0ad4fbff526978c68212a36fb90
- SHA1
  
  d5cbdd8f03037a73dd40c0819498c969ae5b9102
- SHA256
  
  1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b
- SHA512
  
  3f8e80aa86d486eacf4336b6a0a8f9c997de33a7ae1da5a1637e99fc168e0c4c8c1a9324b3c9bb69ce74d3529a881931234f45764d8f46810d820fb5629414a5
- SSDEEP
  
  49152:eF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUCeaw1GANOmJA:croA7P/YJ
Score

10^/10

agenttesla redline xworm foz execution infostealer keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect Xworm Payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

agentteslaredlinexwormfozexecutioninfostealerkeyloggerratspywarestealertrojan

behavioral2

agentteslaredlinexwormfozexecutioninfostealerkeyloggerratspywarestealertrojan

© 2018-2024

Terms | Privacy