agenttesla | 1cd53c7db5f180ba563a800ebfd7dfd44445dc21a3dcd89ed0ae60ea52ea184f | Triage

Submit
Reports

Overview

overview

Static

static

TWI-SHA 202102.exe

windows7_x64

TWI-SHA 202102.exe

windows10_x64

Sharing

General

Target

TWI-SHA 202102.rar
Size

52KB
Sample

210414-jxsj2nnz6s
MD5

2d4a22b1391e4cd7150280bbbe1bdf7e
SHA1

07bfcdcc7ec434fe45696626920d30ff9666f019
SHA256

1cd53c7db5f180ba563a800ebfd7dfd44445dc21a3dcd89ed0ae60ea52ea184f
SHA512

14b63173b21767554829a5feb141e0904afaa33065d1ad4c9e125afc8e6e5ae1ede5b9ddea42462c82512d2cdad0d886963826c292c60065f5b78a33a49bb82d

Score

10^/10

agenttesla guloader downloader guloader keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

TWI-SHA 202102.exe

Resource

win7v20210410

agenttesla guloader downloader guloader keylogger spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

TWI-SHA 202102.exe

Resource

win10v20210410

agenttesla guloader downloader guloader keylogger spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
p.pisapia@simonetta-it.co
Password:
HywxEue7

Targets

- Target
  
  TWI-SHA 202102.exe
- Size
  
  156KB
- MD5
  
  d5b8e2ce449917bf395454082de6cba9
- SHA1
  
  fe872c03ceef39422218003bc5a34be4faf47e55
- SHA256
  
  981d483b809a8d146115d1a1feb7bb8d588e014a0f009deb528662d39f5657e4
- SHA512
  
  54dc37f2345a4b70786920c80adf8c1fc72c9ab97edf95b239453c081ab221134fbbc8ae8d8fd3ce635d4b3aec8f42fbc44005930e917e10e1a72cbd5e442e48
Score

10^/10

agenttesla guloader downloader guloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- AgentTesla Payload
- Guloader Payload
  guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

agentteslaguloaderdownloaderguloaderkeyloggerspywarestealertrojan

behavioral2

agentteslaguloaderdownloaderguloaderkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy