agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

Downloads.exe
Size

141.0MB
Sample

201119-va6cdbx12x
MD5

07917bc6f34323a498bbbf68eb446724
SHA1

6f192776575fe4087684d24a0a5fb07e5a1c76ed
SHA256

a6942a7cce17a9de2ff1679f685796468698f06a45f6e4e97b9ff5027ef35a86
SHA512

55ce66a638c3a939cfc3031c5f5f194181730a3d27ffd47524a2c5a1947b0cf4cbb38e65d39077d7947d40d952c11c68597e591c58bc025c62e6850d53036aee

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
45.141.184.35
Port:
21
Username:
alex
Password:
easypassword

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.91
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

azorult

http://195.245.112.115/index.php

http://kvaka.li/1210776429.php

Extracted

Family

warzonerat

sandyclark255.hopto.org:5200

Extracted

Family

asyncrat

Version

0.5.6A

sandyclark255.hopto.org:6606

sandyclark255.hopto.org:8808

sandyclark255.hopto.org:7707

Mutex

adweqsds56332

Attributes

aes_key
DStgwPf5qCYAcWWcPg3CaZBkDbYF3HQo
anti_detection
true
autorun
true
bdos
false
delay
host
sandyclark255.hopto.org
hwid
install_file
install_folder
%AppData%
mutex
adweqsds56332
pastebin_config
null
port
6606,8808,7707
version
0.5.6A

aes.plain

Extracted

Credentials

Protocol: smtp
Host:
mail.pro-powersourcing.com
Port:
587
Username:
[email protected]
Password:
china1977

Extracted

Family

formbook

Version

4.0

http://www.worstig.com/w9z/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi_rm3

Botnet

86920224

https://sibelikinciel.xyz

Attributes

build
300869
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Extracted

Family

formbook

Version

4.1

http://www.joomlas123.com/i0qi/

http://www.norjax.com/app/

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

Extracted

Family

danabot

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Family

qakbot

Botnet

spx129

Campaign

1590734339

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

Targets

- Target
  
  Downloads.exe
- Size
  
  141.0MB
- MD5
  
  07917bc6f34323a498bbbf68eb446724
- SHA1
  
  6f192776575fe4087684d24a0a5fb07e5a1c76ed
- SHA256
  
  a6942a7cce17a9de2ff1679f685796468698f06a45f6e4e97b9ff5027ef35a86
- SHA512
  
  55ce66a638c3a939cfc3031c5f5f194181730a3d27ffd47524a2c5a1947b0cf4cbb38e65d39077d7947d40d952c11c68597e591c58bc025c62e6850d53036aee
Score

10^/10

asyncrat azorult pony redline rms warzonerat xmrig aspackv2 bootkit discovery evasion infostealer macro miner persistence rat spyware stealer trojan upx xlm agenttesla danabot dharma formbook gozi_rm3 guloader plugx qakbot 86920224 spx129 1590734339 agilenet banker botnet coreentity cryptone downloader guloader keylogger packer ransomware rezer0
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot x86 payload
  Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
  botnet
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- AgentTesla Payload
- Async RAT payload
  rat
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Formbook Payload
  rat
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Guloader Payload
  guloader
- Looks for VirtualBox Guest Additions in registry
  evasion
- Nirsoft
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Warzone RAT Payload
  rat
- XMRig Miner Payload
  miner
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Modifies Windows Firewall
  evasion
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Sets DLL path for service in the registry
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Drops startup file
- Loads dropped DLL
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Modifies WinLogon
  persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2