agenttesla | 0de691a91c2cce2b647aafa0fc5abdbfb84e2a91cda8ff93f4f85f2385007901 | Triage

Submit
Reports

Overview

overview

Static

static

9bbecc1749...5e.exe

windows7_x64

9bbecc1749...5e.exe

windows10_x64

Sharing

General

Target

9bbecc1749b4de47b175c20ddddd335e.exe
Size

1.2MB
Sample

210723-k33d5qewvx
MD5

9bbecc1749b4de47b175c20ddddd335e
SHA1

ee1512d73ce9375b7ee1c2fc4ffc5f994f4929ed
SHA256

0de691a91c2cce2b647aafa0fc5abdbfb84e2a91cda8ff93f4f85f2385007901
SHA512

3aa6002a7149a16a2c3eabed98c4bc65af5683853f231eeb8d70eba0452d9e2e79d76effd5101d1958491dc0498c0f10abc06c42ec02f03ef7792529c4669254

Score

10^/10

agenttesla warzonerat infostealer keylogger persistence rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

9bbecc1749b4de47b175c20ddddd335e.exe

Resource

win7v20210408

agenttesla warzonerat infostealer keylogger persistence rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

9bbecc1749b4de47b175c20ddddd335e.exe

Resource

win10v20210410

agenttesla warzonerat infostealer keylogger persistence rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

warzonerat

C2

ghjklhgteg.strangled.net:6703

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1846829589:AAHSsEDTKvDOQ17YrNRY5_FXv5z4mpfGRIc/sendDocument

Targets

- Target
  
  9bbecc1749b4de47b175c20ddddd335e.exe
- Size
  
  1.2MB
- MD5
  
  9bbecc1749b4de47b175c20ddddd335e
- SHA1
  
  ee1512d73ce9375b7ee1c2fc4ffc5f994f4929ed
- SHA256
  
  0de691a91c2cce2b647aafa0fc5abdbfb84e2a91cda8ff93f4f85f2385007901
- SHA512
  
  3aa6002a7149a16a2c3eabed98c4bc65af5683853f231eeb8d70eba0452d9e2e79d76effd5101d1958491dc0498c0f10abc06c42ec02f03ef7792529c4669254
Score

10^/10

agenttesla warzonerat infostealer keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- AgentTesla Payload
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslawarzoneratinfostealerkeyloggerpersistenceratspywarestealertrojan

behavioral2

agentteslawarzoneratinfostealerkeyloggerpersistenceratspywarestealertrojan

© 2018-2024

Terms | Privacy