agenttesla | 043544fc666b260b348dbd6c004ac8a76c62418e34b3330e6d0a1fac1dfc3f9f | Triage

Submit
Reports

Overview

overview

Static

static

5f5975aa54...e2.exe

windows7_x64

5f5975aa54...e2.exe

windows10_x64

Sharing

General

Target

5f5975aa54916c31a205ae5c29c0bfe2.exe
Size

368KB
Sample

210715-letdbzjsba
MD5

5f5975aa54916c31a205ae5c29c0bfe2
SHA1

4c309f984a5d02227773cf476384422aa8f34819
SHA256

043544fc666b260b348dbd6c004ac8a76c62418e34b3330e6d0a1fac1dfc3f9f
SHA512

0277be3783adf1266d77dfbcfa3f586ce58f9a63a5293a8cc75d21a7b9fa713c83fa7119fed892f320e8dd01b1940a6a1aebd5f47a62bb73a98b04101bf0775e

Score

10^/10

agenttesla warzonerat infostealer keylogger persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

5f5975aa54916c31a205ae5c29c0bfe2.exe

Resource

win7v20210410

agenttesla warzonerat infostealer keylogger persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

5f5975aa54916c31a205ae5c29c0bfe2.exe

Resource

win10v20210408

agenttesla warzonerat infostealer keylogger persistence rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

sdafsdffssffs.ydns.eu:6703

Targets

- Target
  
  5f5975aa54916c31a205ae5c29c0bfe2.exe
- Size
  
  368KB
- MD5
  
  5f5975aa54916c31a205ae5c29c0bfe2
- SHA1
  
  4c309f984a5d02227773cf476384422aa8f34819
- SHA256
  
  043544fc666b260b348dbd6c004ac8a76c62418e34b3330e6d0a1fac1dfc3f9f
- SHA512
  
  0277be3783adf1266d77dfbcfa3f586ce58f9a63a5293a8cc75d21a7b9fa713c83fa7119fed892f320e8dd01b1940a6a1aebd5f47a62bb73a98b04101bf0775e
Score

10^/10

agenttesla warzonerat infostealer keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- AgentTesla Payload
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslawarzoneratinfostealerkeyloggerpersistenceratspywarestealertrojan

behavioral2

agentteslawarzoneratinfostealerkeyloggerpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy