agenttesla

General

Target

31.exe
Size

12.5MB
Sample

201124-cgz7ehbljs
MD5

af8e86c5d4198549f6375df9378f983c
SHA1

7ab5ed449b891bd4899fba62d027a2cc26a05e6f
SHA256

7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
SHA512

137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1

Malware Config

Extracted

Family

formbook

Version

4.0

C2

http://www.worstig.com/w9z/

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi_rm3

Botnet

86920224

C2

https://sibelikinciel.xyz

Attributes

build
300869
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Extracted

Family

danabot

C2

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Family

formbook

Version

4.1

C2

http://www.joomlas123.com/i0qi/

http://www.norjax.com/app/

Decoy

mytakeawaybox.com

goutaihuo.com

kuzey.site

uppertenpiercings.amsterdam

honeygrandpa.com

jenniferabramslaw.com

ncarian.com

heavilymeditatedhouston.com

gsbjyzx.com

akisanblog.com

taoyuanreed.com

jasperrvservices.com

yabbanet.com

myhealthfuldiet.com

flipdigitalcoins.com

toes.photos

shoottillyoumiss.com

maserental.com

smarteacher.net

hamdimagdeco.com

Targets

- Target
  
  31.exe
- Size
  
  12.5MB
- MD5
  
  af8e86c5d4198549f6375df9378f983c
- SHA1
  
  7ab5ed449b891bd4899fba62d027a2cc26a05e6f
- SHA256
  
  7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
- SHA512
  
  137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
Score

10^/10

agenttesla danabot formbook gozi_rm3 86920224 agilenet banker botnet coreentity cryptone keylogger packer rat rezer0 spyware stealer trojan dharma evasion persistence ransomware
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot x86 payload
  Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
  botnet
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
- AgentTesla Payload
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Drops startup file
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

CoreEntity .NET Packer

Danabot

Danabot x86 payload

Dharma

Formbook

Gozi RM3

AgentTesla Payload

CryptOne packer

Formbook Payload

Looks for VirtualBox Guest Additions in registry

ReZer0 packer

Executes dropped EXE

Looks for VMWare Tools registry key

Checks BIOS information in registry

Checks QEMU agent file

Drops startup file

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Adds Run key to start application

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2