agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

aaa.zip
Size

4.1MB
Sample

210215-9e3pnsgp7x
MD5

d33b55d5c3377fe8204f96d9c1d1b1cf
SHA1

e4a87c5f33b9583a2226c3d1c70a5e03559318af
SHA256

a46de7b1eb5d6bd50182eebb1822b4535f3018136cd98af27ae6c462583a2267
SHA512

678ffb46def52e89dcafc2d29981a3adc0a0f90554716517511ae773db229aed0f78b62e75c3662a6a34ac6588fd0083536149f04a630a764b6787dbf9794ce3

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

malekbb.no-ip.biz:662

Mutex

5903db4c13d1ac1ce32218dcef1070c0

Attributes

reg_key
5903db4c13d1ac1ce32218dcef1070c0
splitter
|'|'|

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.framafilms.com
Port:
587
Username:
framafilmsint@framafilms.com
Password:
lister11

Targets

- Target
  
  44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0
- Size
  
  291KB
- MD5
  
  607c01900304acc7f782804137fa44bf
- SHA1
  
  e14cfba7a66ac53913ced41201fb1f13704b506b
- SHA256
  
  44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0
- SHA512
  
  709911cb696ebdfccf1d58eaf52250b440049fb3116e2f80a7c9ede93c6f0b166dea363a06af8111a8545e4990505734dec164042a541df89d02608cedf95bc1
Score

6^/10

persistence
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b
- Size
  
  227KB
- MD5
  
  22b5a511813719a44ef83c069a6d6c1e
- SHA1
  
  59a596658a1377cdec3febf1748fc768613c4373
- SHA256
  
  63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b
- SHA512
  
  844ca6027e2dc5b5ea2708c9fb25c40c4988c110099bbe1e5c998a7aa478f52114eb5ed58fc8e7623bb99abbcd681b9d0a4e5ab10384eac7a8a2ae204e3242a0
Score

8^/10

evasion persistence
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
behavioral3 behavioral4
- Target
  
  77d426d73e3aeef4eb5f1ccf5e3815f52af9c4d6b86d43cc5533548a0ab764f7
- Size
  
  118KB
- MD5
  
  b476a37c3992435b0fa0bb5a405dd102
- SHA1
  
  eac0f771b2bc88041dfc0ad101eef1ec5cd23ef9
- SHA256
  
  77d426d73e3aeef4eb5f1ccf5e3815f52af9c4d6b86d43cc5533548a0ab764f7
- SHA512
  
  87b9dd1b42ad4500803efed77775f50e3e1626fcfee8568a6f35c28a39b9c31fca8c53c282027ce5904f6e63518c4446446052de8d311f8b919b17e6b6fb2df7
Score

10^/10

njrat hacked evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
behavioral5 behavioral6
- Target
  
  7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8
- Size
  
  3.4MB
- MD5
  
  f9f30b7f542749d343862f6b7b35aed7
- SHA1
  
  f3b220fdd7c3b9b534c88a53d9ef26b67fe6345e
- SHA256
  
  7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8
- SHA512
  
  7edd1dda6363b375024dddf5f5d5cc214dc3602c2a72012bf851cab3979e8ae6f06cf72e58f6f8d7aac7642519ac6f6f6c162fc92cbddcc625b2776b985b6202
Score

8^/10

persistence vmprotect
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
behavioral7 behavioral8
- Target
  
  95cff1b536234f6cb1b3682bf4d88a3b4583710450652a9d928f67149f1208b3
- Size
  
  128KB
- MD5
  
  1f03ede3a1804f11147df68813487efe
- SHA1
  
  903349bf43331599fc30beb3a88d2658271cc669
- SHA256
  
  95cff1b536234f6cb1b3682bf4d88a3b4583710450652a9d928f67149f1208b3
- SHA512
  
  d5800a0fd5807297a2d7aa1de8d57e11266d7d1b61eb374603b4bdca80ae1485046c3a8c4d376b0d75535a15bdfa99df38391bb42c4b1d1b29cfc0e64bcd48e5
Score

10^/10

njrat evasion persistence trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Drops startup file
- Adds Run key to start application
  persistence
behavioral9 behavioral10
- Target
  
  c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c
- Size
  
  852KB
- MD5
  
  960191154378e1cce6b97afecb7ce257
- SHA1
  
  6ad76d2ef1d98eabe85fb51c369e7033e6846c38
- SHA256
  
  c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c
- SHA512
  
  68bb33002fd109a745f965e3936ccdc11ad4220122017bba3694a3122e99e3b04c9b04dfafaa7646d14a3461f23806b30701ce5c2eda8eef7950a8e796724846
Score

8^/10
- Executes dropped EXE
- Drops startup file
behavioral11 behavioral12
- Target
  
  d10a043f50b47c93c7bdd522d777d62b6034134605449465c2cd3e66958be4fd
- Size
  
  329KB
- MD5
  
  78b653b28d2b8e80815d3cbd6eba5914
- SHA1
  
  cd505bf33e513748775a7e7bcb6f6ede31ae2e17
- SHA256
  
  d10a043f50b47c93c7bdd522d777d62b6034134605449465c2cd3e66958be4fd
- SHA512
  
  2fed311043f0163537296b60b2993fb6712b3dd45cce581d731b1c03df05edf2ea24ef9c9f7f2186f4b0e61b1ac184452dc94c808b508e429c9ab52785626b1f
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  e265a0c4cb17501c0c96d3b9c996c27a6cb3479d20802c90ed9535d8e31075ed
- Size
  
  175KB
- MD5
  
  07eff280286ecca84b93cc24a6a00e9a
- SHA1
  
  add9558ab8090356e82a0cd6a4b1854a2bff2e69
- SHA256
  
  e265a0c4cb17501c0c96d3b9c996c27a6cb3479d20802c90ed9535d8e31075ed
- SHA512
  
  bed191c3f98cdd73a1f356e2aa8e27333bc8b892cd9b2a4db4fe4aedbe51bf173a46c8a2cb208c80dd397077ff564fd98490dbedbba2f16db3a4f421984ee810
Score

7^/10

persistence
- Drops startup file
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral15 behavioral16

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Adds Run key to start application

Executes dropped EXE

Modifies Windows Firewall

Drops startup file

Adds Run key to start application

njRAT/Bladabindi

Modifies Windows Firewall

Drops startup file

Adds Run key to start application

Executes dropped EXE

VMProtect packed file

Adds Run key to start application

njRAT/Bladabindi

Modifies Windows Firewall

Drops startup file

Adds Run key to start application

Executes dropped EXE

Drops startup file

AgentTesla Payload

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Drops startup file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16