agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

Local Virus Copies.zip
Size

13.6MB
Sample

210126-8kenvtwef2
MD5

cc0c7dd67b318f50314664d227e1c071
SHA1

afd99154fee47d24decc2fc2f96d8e7c4aa57edd
SHA256

4a9006cf3b6e40360af21fbc2c9c419a58212f9fc06cb2a534240790a2e6dbac
SHA512

e9081fdec088c95f4989984497b809ab40c82f8e73ff73ff8b9ae5d225271fa7f69d68e8786443b88dca3912e0ec782b3d627fb9b391b95c63638899ac8daa6f

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://94.158.245.88/mae.ps1

Targets

- Target
  
  122de0842b4df547c9bddfb0b594a1b8f8b55da501c6f35b038153981cf1870d
- Size
  
  59KB
- MD5
  
  dc22d16b05f7a9f13d9ad89a95b7f08d
- SHA1
  
  4eb21124de55173e59aad88b4c22fde438ea9046
- SHA256
  
  122de0842b4df547c9bddfb0b594a1b8f8b55da501c6f35b038153981cf1870d
- SHA512
  
  17fe35bace47e1615fd98beb1fd54329a03b307edfee9fc9709ec1781549392a04a4334e8fc8019cadcf591a44b32408ca6416305aded35bcd34e59ecaf7effd
Score

6^/10

persistence
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  21837bd6a795e92f326fe1a26523411408c5e8ad38054353c55ffc514e72b927
- Size
  
  1.7MB
- MD5
  
  45c57065809192c988346a5e2eb66a65
- SHA1
  
  2cbad3e97e9fee9a6a17009035fd871d0dadfd3a
- SHA256
  
  21837bd6a795e92f326fe1a26523411408c5e8ad38054353c55ffc514e72b927
- SHA512
  
  67948d65def21457283e4be5e31bf35098c4c2e27adcc808053920847277bf35b75061c9d36ca099b3bb0d822f8ad80aaa8a73a3f5f39ed0c4714d050c7e9afe
Score

10^/10

amadey trojan upx
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Blocklisted process makes network request
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  30131519d29744c302b7cc68898c5238358a75a0c01d398b3df894896620cbfc
- Size
  
  420KB
- MD5
  
  cde4bb46d908cdb0df9cde0f7636e0c0
- SHA1
  
  0cccbf4628cc325cb2528815524c9ed12ee19b35
- SHA256
  
  30131519d29744c302b7cc68898c5238358a75a0c01d398b3df894896620cbfc
- SHA512
  
  ea89ea2b365eaa0607ad5aac9308a2d94ea55794726243c32969d25cd435f327282396bc8abefdd5ffbec2dd652ed5b84ac28022caebe6ee00f32b407c7faaca
Score

5^/10
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  3be39aebffed61e79f7bd2405d3e2722a1cf388a820b819ff76c1c1a132fd37a
- Size
  
  3.3MB
- MD5
  
  81c78d3e3e2ea4a6f5a7adc544472d9f
- SHA1
  
  5b0a43cfe170e65e2319eaf7ba69728a78b56094
- SHA256
  
  3be39aebffed61e79f7bd2405d3e2722a1cf388a820b819ff76c1c1a132fd37a
- SHA512
  
  2d3ca570619136bb260ef85b6b1296189a9cdde5d3cf97aa27137b875183a4f4afc2e66f129ac34f636a0a7355f1a1d204175b013164773cd9d5cb2f45bd88f5
Score

8^/10

persistence vmprotect
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8
- Size
  
  636KB
- MD5
  
  b9d330bf786b93b2a580336aa176ca41
- SHA1
  
  3e79a5acbd1d23d33bf085edc76e2f661342f1e7
- SHA256
  
  5514456013c5492e1f41e7a6a59cba1bdc6d1555c5b169992aba575cb34cb0b8
- SHA512
  
  461e95596805e059f8509b461c1ef56e6c8819c3c46b0198220b3dceef69d387e7f0d4f69163d9402751734253751060e60f0d4463da0c452ccab6c9e554b2b5
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral9 behavioral10
- Target
  
  61d44476deb3368a54bb936e56a7aadb9226e78b88f67f939ed1cf0932f3263e
- Size
  
  2.4MB
- MD5
  
  efb11012c0ce5a01bc08049bf5ce5cdc
- SHA1
  
  20af0614df492419e4a61e3c7d148efa99aa3325
- SHA256
  
  61d44476deb3368a54bb936e56a7aadb9226e78b88f67f939ed1cf0932f3263e
- SHA512
  
  cb490a0718c46b18a7710b3341fc580105429c5300f09d3511f47964134fc2332ed97f074868708a8fe17607c666926362e0ca2d1945d0f6342239ea08bff852
Score

9^/10

miner persistence
- Detected Stratum cryptominer command
  Looks to be attempting to contact Stratum mining pool.
  miner
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  6ee50d84fd4795440107550e6581ccb981f87dff2f216e5cc5a0314144b83ec3
- Size
  
  5.9MB
- MD5
  
  2a3a93cf80b22cce273abdff692e7aa9
- SHA1
  
  ea07ea21791230aab9b34220fe7dcc594383a046
- SHA256
  
  6ee50d84fd4795440107550e6581ccb981f87dff2f216e5cc5a0314144b83ec3
- SHA512
  
  06f180e1c839f5fe34edd3eca3a7ff1c6c1f6584b4b64041d69b7295632ca85d9b7a9498d8beab08e163a538af2e0a9c9615f172ff7ef5b06da81c552e657154
Score

8^/10

persistence
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral13 behavioral14
- Target
  
  82c04fda5985f51abe024bfda867bc3aaa0ffd26a500cd7cc40f8238df9b1eb5
- Size
  
  220KB
- MD5
  
  9a525447cdf4fa9373df6b8b9990b755
- SHA1
  
  57a7c1c471b07995ec7313cbda4a385812b335a6
- SHA256
  
  82c04fda5985f51abe024bfda867bc3aaa0ffd26a500cd7cc40f8238df9b1eb5
- SHA512
  
  ba2cf07821ae8f80a38fa3717a205d0db58f122e5f25a5ea805c96c695de5ced0d0a97b4148f230dfffe1eb64f0567bd4696a7f08202fb2f6017be08cf22d1a2
Score

1^/10
behavioral15 behavioral16
- Target
  
  a101cc8e9f1eac76c6fc006e9e746b59dc94b73e1358803ad94d70a0938d3a75
- Size
  
  250KB
- MD5
  
  61bb311ad857020ee001efdab0e01cf9
- SHA1
  
  17f8830b258000086b4f17521a892ca95adcb212
- SHA256
  
  a101cc8e9f1eac76c6fc006e9e746b59dc94b73e1358803ad94d70a0938d3a75
- SHA512
  
  1fea2b332e826ab77bfb76eeb8ded46461bf2b6b19555ba103be55a61d4985f15e2f8486229d3714807f7611f97ebe85b43229cf832ed51e4ebdc69ef6fa6c70
Score

8^/10

evasion persistence
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Adds Run key to start application
  persistence
behavioral17 behavioral18
- Target
  
  b5674726f7f51d5880211f8ca8aea069bc6fc758794748117db27b8df25a12b0
- Size
  
  208KB
- MD5
  
  92509360c9dbc6816758f265859a5144
- SHA1
  
  0d1b8967ecfa1ce68b52191c624169851fad38fa
- SHA256
  
  b5674726f7f51d5880211f8ca8aea069bc6fc758794748117db27b8df25a12b0
- SHA512
  
  95a501a3b5912ab2f60534f90f4a18143d4091facf5019ff6ace03925cfc0d592e1fde6c0a4dd025d8245ba30ff5c2d5291edf0633bc374de37deaafbba87c95
Score

8^/10

persistence pyinstaller spyware upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
behavioral19 behavioral20
- Target
  
  c939f36967412e7e4c1a893ac6c9d38eee2d49516bd9168af2e0a33819ffe708
- Size
  
  2.0MB
- MD5
  
  93cd33ee61e6fea5d670b5765a698be2
- SHA1
  
  de4d9ba17caabd7a8a7188f5d60d3683d93e3de5
- SHA256
  
  c939f36967412e7e4c1a893ac6c9d38eee2d49516bd9168af2e0a33819ffe708
- SHA512
  
  aff1dd7ae00cbc8f396113fc01178586ba9566fc50bd6cd01f34758229675d1eeb97f5e03d1dc709944d1db2daeec0a6a3e4c88b4cbe11fee10489bc917cd00c
Score

8^/10

persistence upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149
- Size
  
  44KB
- MD5
  
  ab7a640c6b203e4675a45a08eb96a998
- SHA1
  
  89b5ba11a035ef784854c94df020d283b6802b82
- SHA256
  
  de36168cfc6c51cd53027916aea1b4227ab736e517319804b826c8d4a3006149
- SHA512
  
  0168c99f2a7a71f5bd8f629083288723f0e7997423e787af46828fabd3b887395ad31539e0623e6b0bbcd3dde926c7e4a68f78dcec088cc5e3ae227a34eadf55
Score

10^/10

xmrig discovery evasion miner persistence trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
behavioral23 behavioral24
- Target
  
  eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d
- Size
  
  414KB
- MD5
  
  104d68ad37956b6b9ffe9a69effa6c57
- SHA1
  
  6e58c74c92ede192f323358d865f1ce94e69b33b
- SHA256
  
  eb9775066c55310131db50ee2606fb66353e4c694d5713abaddd2293806ac34d
- SHA512
  
  1aa56916792556d461c13343e37286eedbbf0b957a03d98f1916d1c797a036d88ec7f09baa02c45165dfc03b2b9bda6c056abe616abbf88b8f6dba338466bc49
Score

10^/10

amadey trojan
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Executes dropped EXE
- Loads dropped DLL
behavioral25 behavioral26

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Adds Run key to start application

Drops file in System32 directory

Amadey

Blocklisted process makes network request

Executes dropped EXE

UPX packed file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

Executes dropped EXE

VMProtect packed file

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Detected Stratum cryptominer command

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Executes dropped EXE

Adds Run key to start application

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Adds Run key to start application

Executes dropped EXE

UPX packed file

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

xmrig

Executes dropped EXE

Modifies Windows Firewall

Loads dropped DLL

Modifies file permissions

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Amadey

Executes dropped EXE

Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20