agenttesla

Sharing

General

Target

Downloads1.rar
Size

7.6MB
Sample

210315-qqvpdsq646
MD5

d7641998bb05574dfc4c6863a2fdc310
SHA1

43952df52568ec55df81e429f237bead4828cb74
SHA256

2f1a6b566dc0d2b8e5fcdcf67adc0be912f73fe14c27b262b610dfcd03cd4686
SHA512

98e7c982f47ee48d384ba7d370d0e0a9dabe83fc5370227fcdbbba0c94be0ff52d818b32d59f31f84c586cd1416893c3b2078a11646fbeccaa692382fcb5fea1

Score

10^/10

Malware Config

Extracted

Family

lokibot

http://omann.ir/walex/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

trickbot

Version

1000089

Botnet

kas89

187.188.162.150:449

83.0.245.234:449

149.154.68.252:443

62.109.11.80:443

78.24.218.150:443

92.63.97.68:443

82.146.61.187:443

80.87.199.210:443

82.146.59.149:443

188.120.247.223:443

94.250.250.112:443

149.154.71.95:443

37.230.112.76:443

94.250.250.114:443

95.213.237.223:443

185.228.232.242:443

141.255.167.126:443

5.200.47.90:443

185.158.114.126:443

185.125.46.113:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  Downloads1/07b439787a516e6298c347a672039e6932699d3e2c9cddaf31c1a325cae5b3f5
- Size
  
  325KB
- MD5
  
  11fd85b0d430b1813516d7af9a743750
- SHA1
  
  1de709d077afdcf7a9d7702ca2e0c6c749a60a40
- SHA256
  
  07b439787a516e6298c347a672039e6932699d3e2c9cddaf31c1a325cae5b3f5
- SHA512
  
  dbc66a2c418f1c8738d006def8f43507ca1910d1540aa87aaf1eae5bca21985aaba649cae1f02b804afc10045d2f8134b11abf28ca59ab3864701a58addb3ac8
Score

1^/10
behavioral1 behavioral2
- Target
  
  Downloads1/24689a36a7f3427d98473599b6b73febe3f5c6b874fc7ec07d76fe4cdacf4041
- Size
  
  195KB
- MD5
  
  b748f08dd24c4892c1dd18796f4cc929
- SHA1
  
  2a89307d91d8ac2e332647c5ae72f3466b3bc252
- SHA256
  
  24689a36a7f3427d98473599b6b73febe3f5c6b874fc7ec07d76fe4cdacf4041
- SHA512
  
  b8545ea8bf0c0bf126921ca15439c85f89a5b26ecec7adb2cee8c3fe1af99ed28a3684b285ee902ddf5c909ba0e50107c100ae01b1a44b766005f520ab660d04
Score

3^/10
behavioral3 behavioral4
- Target
  
  Downloads1/2a299b9d8f0c05640b60bfceb4990661fbaa7154d0c688599e6afde72101a88b
- Size
  
  430KB
- MD5
  
  b7990b7bdad4bf82b78d0afd16c550e2
- SHA1
  
  2270cdd743603807fadec9061b38c180f048eff6
- SHA256
  
  2a299b9d8f0c05640b60bfceb4990661fbaa7154d0c688599e6afde72101a88b
- SHA512
  
  31f33d5bd48fe2eb4f5e4e296acbe04aed7ab87751e6e2136a310f0b137a930546e433f2267259f66155d5fe6c46bc5f416f37c4922c199a0eff9f914ba243cf
Score

1^/10
behavioral5 behavioral6
- Target
  
  Downloads1/2c69d3350203f1aa4c99848a097cf428fa6d748d28fb291a166710f78d6dd7d2
- Size
  
  304KB
- MD5
  
  dde7ff14407dd4ea62f9b513f927efb5
- SHA1
  
  d14973a87491a54dbfa611a4083edbc701f89ee6
- SHA256
  
  2c69d3350203f1aa4c99848a097cf428fa6d748d28fb291a166710f78d6dd7d2
- SHA512
  
  8663ba9a9f145767b1f0b6f34a096a41c2ea2d2d6feed3b644b496e26d59e6b622adc13c31d76c281b0352e6230d44cd6e8d2b009b94ab3d03b55e7852792d58
Score

1^/10
behavioral7 behavioral8
- Target
  
  Downloads1/339c67c2aaa2f7bc23ea77b1320a0dc43519a0561644c5bbc0b698c256cdf138
- Size
  
  701KB
- MD5
  
  297f01d8a32915fa04d66d3221b85252
- SHA1
  
  3013ed953b94146589398c1eec6b4e727d8dfff5
- SHA256
  
  339c67c2aaa2f7bc23ea77b1320a0dc43519a0561644c5bbc0b698c256cdf138
- SHA512
  
  755f8f3a5795894bfc06aef83f22137731752d38164d0df8b54ef49122b5afc0fa12e86d2a6ef095356e3de4b3344cea40cca483492b563226ebe2950a95173c
Score

1^/10
behavioral9 behavioral10
- Target
  
  Downloads1/484b0d880db7b05aa0b459e22c8c6f4dd1dd74f0731c46a24a1447b1f1a7ad92
- Size
  
  376KB
- MD5
  
  b74cfd9313cd899c8a5f487fe2db5c1a
- SHA1
  
  721a19a510c00f8407c94771619971c427c4358d
- SHA256
  
  484b0d880db7b05aa0b459e22c8c6f4dd1dd74f0731c46a24a1447b1f1a7ad92
- SHA512
  
  289effb488f885f7ead36460b3c61b5fd587cad3c891f43d3328b21a1f3ab74213887a3793a6c3195da81cd641ba456dc583697dede12d17d943ff5cf0ed5356
Score

10^/10

gozi_ifsb banker trojan
- Gozi, Gozi IFSB
  Gozi ISFB is a well-known and widely distributed banking trojan.
  banker trojan gozi_ifsb
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  Downloads1/569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046
- Size
  
  272KB
- MD5
  
  024cf2c94c771fffe32ec010d9fb786b
- SHA1
  
  028a67f1e497b2eede0a357a30bfd63dc7acaacb
- SHA256
  
  569c41122e32d220bfbaf714d360fa6238f44fe15dd398a5b4d2e05a57a02046
- SHA512
  
  9724f44a8e7e8fdd67570afc3e14c52062f378a4e9d4e5ce3d87cc848cf43394ae583e478739b20a26cfbde5a1da01ce3346c18861e663e9d19157c27b514324
Score

10^/10

lokibot spyware stealer trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  Downloads1/5991d72ef8f2e3f623afc25c0129eb408d3f5e4494b5052a4009c0d9172e082f
- Size
  
  460KB
- MD5
  
  121b06ee87950d0faeea0ba5b9c0a4cd
- SHA1
  
  c450634b90cceac6f7393d38fea10453a6010dfe
- SHA256
  
  5991d72ef8f2e3f623afc25c0129eb408d3f5e4494b5052a4009c0d9172e082f
- SHA512
  
  147d4a4b84f3d746fa336dcf8b657dd1894b939792dd7d90a32d866f7e17d7090c63e393db6709a55533bd2dcbb3c7180c048bcbdaeed91bb62cdb9f288b4abe
Score

1^/10
behavioral15 behavioral16
- Target
  
  Downloads1/5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78
- Size
  
  604KB
- MD5
  
  29649c968550c8e97565e81dcce5b81a
- SHA1
  
  a08c1bf3c9a73492ad27d793efa057f5582703ac
- SHA256
  
  5b712f3ced695dd1510320494ecac67b277c0b386ee465303504c89431f87c78
- SHA512
  
  87f09ffc9ebfe5e890e11445a8b856ad3521e2b021da9548e8594b85adb3b99c307224ca4e466f9057a92ead34eb8dceaa2556145676958af1233b6b174eb29f
Score

10^/10

locky persistence ransomware
- Locky
  Ransomware strain released in 2016, with advanced features like anti-analysis.
  ransomware locky
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral17 behavioral18
- Target
  
  Downloads1/61f2d6fa249bfd74e59d8f6d50191c62490fc690f7fb035fe2133b4566b38a89
- Size
  
  236KB
- MD5
  
  e1618002c8700b4ae261b1e5aea00e42
- SHA1
  
  71a93b760fb4c0ee6201ea09a19b50fd46d0439f
- SHA256
  
  61f2d6fa249bfd74e59d8f6d50191c62490fc690f7fb035fe2133b4566b38a89
- SHA512
  
  264a802e3e9e406d4a3f42d518a1ee1d6492cc012489c22525f1476375d73008e9b79d85f789f6d321b39800374fefbfa671031e4db6e247a152205cf4f76b3a
Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  Downloads1/676b02d81ccb54835e6c176ca797757e4e61cd3d6dab30e91bc55bbb65471dee
- Size
  
  236KB
- MD5
  
  a66c1ca60c1036a8a2e8082626e254e3
- SHA1
  
  20a15bed4510e1f5c25cefca7fc0cad5e06d3d24
- SHA256
  
  676b02d81ccb54835e6c176ca797757e4e61cd3d6dab30e91bc55bbb65471dee
- SHA512
  
  dc1ecbafa25ba0bba04fc915d5620feb5f49f4f50d55fd182d5d2c226ca4847783032f18ff5338ad55dff805ab0ad1a042dad3a17109adae420c8eae7ab7b6a9
Score

7^/10

evasion persistence spyware stealer trojan
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  Downloads1/7194aa3ef48725220516bc618aec8ab92ddef859de8f584a6a214ed9812e221a
- Size
  
  441KB
- MD5
  
  ba722f76070e001e44c82998b66e9009
- SHA1
  
  98136a5f534249449b02528fc0c51be147dca4c8
- SHA256
  
  7194aa3ef48725220516bc618aec8ab92ddef859de8f584a6a214ed9812e221a
- SHA512
  
  1e805401f9166d53012a342bdbd9eba1253d9374af52440616f615d4e3aa2a9996f40398ca9c60e504e17f19029533445c3feca0900ff45339a37630932c6934
Score

10^/10

trickbot kas89 banker trojan
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral23 behavioral24
- Target
  
  Downloads1/7682b842ed75b69e23c5deecf05a45ee79c723d98cfb6746380d748145bfc1af
- Size
  
  486KB
- MD5
  
  bf340b3ff326cede17c688bc4092a27b
- SHA1
  
  a6d924bc3dad2877866477e0bb5052e09f11c81f
- SHA256
  
  7682b842ed75b69e23c5deecf05a45ee79c723d98cfb6746380d748145bfc1af
- SHA512
  
  0594940822e46b333f8a68443e98b66b05952d10b8f5d389beeb10bf886d1f4bc1026792c3f6fedfbab8d9595533ceab434c061a2393901de5ecba638286e1e3
Score

1^/10
behavioral25 behavioral26
- Target
  
  Downloads1/772d9f798c5e823b84daa0928beb65722bdddf42e8bb18256a50dbaea959c321
- Size
  
  531KB
- MD5
  
  ff8701976c18d473b57dfeec5a57ce90
- SHA1
  
  e96d323e05e304888f1cd5d0402d51b6750ba8aa
- SHA256
  
  772d9f798c5e823b84daa0928beb65722bdddf42e8bb18256a50dbaea959c321
- SHA512
  
  0edc870ecda504785f3590366000db5f9c02e3a39d07304dcee053056cd3c54123f219ce8001d70819c638e2947da70f3554d88a976d7cfe813d37dbaeb3372b
Score

1^/10
behavioral27 behavioral28
- Target
  
  Downloads1/7c207a6ad28507e302b1165849b57a09695482d5c07bae27dcbba92a55163e5f
- Size
  
  228KB
- MD5
  
  380979b9e21db307888adec96ee96f14
- SHA1
  
  c2068fdeb14a2b74a4064d09a125ebdade741758
- SHA256
  
  7c207a6ad28507e302b1165849b57a09695482d5c07bae27dcbba92a55163e5f
- SHA512
  
  67a3a39b5dde555dbea6e219c8abc5eb53a2fa7495977ffdd70c93fc2228368d3340ef1038ffccefbfbde10d6c5e49e5e8196df24bd0d8aee86bf4901915265e
Score

8^/10

evasion persistence spyware stealer
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  Downloads1/81de8fd03493d938e9acc7f226768847a5034f5dbea98bdfb2bca67facc1b27c
- Size
  
  792KB
- MD5
  
  1ec44740e3d5d1fda054ad171c4cafff
- SHA1
  
  9bb3bb8d8bd19039b1bbaa0cddb02ab94c0dce6d
- SHA256
  
  81de8fd03493d938e9acc7f226768847a5034f5dbea98bdfb2bca67facc1b27c
- SHA512
  
  39f49a0a571c202ead51cc87947cd1ccfa807d5aa51af8e5df3c1621989cb91a04e06efdffb8bda7b8bfb4adbdd304157581764bee735821f17161c2c018fce1
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Gozi, Gozi IFSB

Loads dropped DLL

Suspicious use of SetThreadContext

Lokibot

Suspicious use of SetThreadContext

Locky

Modifies extensions of user files

Checks computer location settings

Deletes itself

Adds Run key to start application

Sets desktop wallpaper using registry

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Suspicious use of SetThreadContext

Trickbot

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Disables Task Manager via registry modification

Drops file in Drivers directory

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32