agenttesla | 854d167ff218c5caa012baaa7bb80a2bfdd1ec9c4c6b3a66bef57240ade29422 | Triage

Sharing

General

Target

8190f821195f3047bdba44fb309dd111
Size

240KB
Sample

201117-5trz1lk3ta
MD5

150845a95eb238bb0b72d9f9b7d31f63
SHA1

a79813ed17faa8da9bed564957e7eda5cb49d5ea
SHA256

854d167ff218c5caa012baaa7bb80a2bfdd1ec9c4c6b3a66bef57240ade29422
SHA512

1f93fa80cefcf811549d280c0db7d7c9221d72fd4d387eacae321282a994d979db58c8d0ce8931fc1d9065aa63f961069042e0247302b650053216db4a5f3bcb

Score

10^/10

agenttesla redline smokeloader backdoor infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

rc4.i32

Targets

- Target
  
  8190f821195f3047bdba44fb309dd111
- Size
  
  240KB
- MD5
  
  150845a95eb238bb0b72d9f9b7d31f63
- SHA1
  
  a79813ed17faa8da9bed564957e7eda5cb49d5ea
- SHA256
  
  854d167ff218c5caa012baaa7bb80a2bfdd1ec9c4c6b3a66bef57240ade29422
- SHA512
  
  1f93fa80cefcf811549d280c0db7d7c9221d72fd4d387eacae321282a994d979db58c8d0ce8931fc1d9065aa63f961069042e0247302b650053216db4a5f3bcb
Score

10^/10

smokeloader backdoor trojan agenttesla redline infostealer keylogger spyware stealer
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- AgentTesla Payload
  keylogger stealer
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- JavaScript code in executable
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

smokeloaderbackdoortrojan

behavioral2

agentteslaredlinesmokeloaderbackdoorinfostealerkeyloggerspywarestealertrojan