agenttesla

General

Target

PO-21322.xlsm
Size

417KB
Sample

210322-lvw4w6fd92
MD5

e391234ad8969ee93813458c325194c4
SHA1

cf4cbacbb5533ec90ec8215d01284d18b35dd139
SHA256

2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e
SHA512

85fb0a3c785da2a5b7a407e052d02a9d17653fc3a8baa9f5b1693e266fb6e5acd2c548042218e53a8ceffd8a48081216fac5868ce05dc76e1defd8223c1fe091

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://transfer.sh/get/NTxd/notepad.exe

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
zahimrahim18@gmail.com
Password:
pifgweijlylkellk

Extracted

Family

asyncrat

Version

0.5.7B

C2

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:49703

chongmei33.publicvm.com:49746

185.165.153.116:2703

185.165.153.116:49703

185.165.153.116:49746

54.37.36.116:2703

54.37.36.116:49703

54.37.36.116:49746

185.244.30.92:2703

185.244.30.92:49703

185.244.30.92:49746

dongreg202020.duckdns.org:2703

dongreg202020.duckdns.org:49703

dongreg202020.duckdns.org:49746

178.33.222.241:2703

178.33.222.241:49703

178.33.222.241:49746

rahim321.duckdns.org:2703

rahim321.duckdns.org:49703

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
hGScKRB0VrlS4WpFo0N7AmnZQApV4qsi
anti_detection
false
autorun
false
bdos
false
delay
FEB
host
chongmei33.publicvm.com,185.165.153.116,54.37.36.116,185.244.30.92,dongreg202020.duckdns.org,178.33.222.241,rahim321.duckdns.org,79.134.225.92,37.120.208.36,178.33.222.243,87.98.245.48
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
2703,49703,49746
version
0.5.7B

aes.plain

Targets

- Target
  
  PO-21322.xlsm
- Size
  
  417KB
- MD5
  
  e391234ad8969ee93813458c325194c4
- SHA1
  
  cf4cbacbb5533ec90ec8215d01284d18b35dd139
- SHA256
  
  2657a10c7ccd83fe042c172a67c31c3a40dfff1c97cc7549533b2af8de2eb88e
- SHA512
  
  85fb0a3c785da2a5b7a407e052d02a9d17653fc3a8baa9f5b1693e266fb6e5acd2c548042218e53a8ceffd8a48081216fac5868ce05dc76e1defd8223c1fe091
Score

10^/10

agenttesla asyncrat evasion keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies system executable filetype association
  persistence
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- AgentTesla Payload
- Async RAT payload
  rat
- Nirsoft
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2