agenttesla

Sharing

General

Target

27-07-2021.7z
Size

4.3MB
Sample

210727-rl9s8e8rt2
MD5

40bd404957785859d7dc75f986b0e9b5
SHA1

c23abb937f8f509d8e80d366ec2580206a590c64
SHA256

a544b4050677d9e5ad964398954cf7d74c96b65a1126a8bb3491fbe52ff0ec10
SHA512

fd553802e9a27dd8e07b18af8d4d3511fe9e41dae54d01c8211a57742c3308e133735a289f9242688df8fc27fbf8ccd1cfbe33e36469f1c651972cd95e9ac50b

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://lifestyledrinks.hu/wp-includes/cs3/ETL_013265_601_0758.exe

Extracted

Family

snakekeylogger

Credentials

Protocol: smtp
Host:
netjul.xyz
Port:
587
Username:
shotels5@netjul.xyz
Password:
ZG-6{&tj}+P&

Extracted

Family

xloader

Version

2.3

http://www.inverservi.com/m6b5/

http://www.innovisionuk.co.uk/eds5/

Decoy

ixtarbelize.com

pheamal.com

daiyncc.com

staydoubted.com

laagerlitigation.club

sukrantastansakarya.com

esupport.ltd

vetscontracting.net

themuslimlife.coach

salmanairs.com

somatictherapyservices.com

lastminuteminister.com

comunicarbuenosaires.com

kazuya.tech

insightlyservicedev.com

redevelopment38subhashnagar.com

thefutureinvestor.com

simplysu.com

lagu45.com

livingstonpistolpermit.com

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.alruomigroup.com
Port:
587
Username:
chimaobi@alruomigroup.com
Password:
LtURz%y7

Extracted

Family

lokibot

https://pakilogs2020.xyz/t/e/yaya.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

- Target
  
  27-07-2021/27-07-2021/Dike-Infocert-Upgrade.pdf
- Size
  
  166KB
- MD5
  
  79d72109de10fb216e198acc18fa2a9b
- SHA1
  
  5a6379f5049fc32a789b9ee352e4aeb81aa02e85
- SHA256
  
  997faf26c74e06deed8c11b029e87c5eb1e577b31f1be8646bb583be4d9bf131
- SHA512
  
  616057afa72f5c2e014e5a9e75b10dd6941968a5ee9430beac84214205953362242a3dd47cd6b8d5586e002c5475edbe01b820545b252406d3e1bfc0242c5417
Score

1^/10
behavioral1 behavioral2
- Target
  
  27-07-2021/27-07-2021/ETL_013265_601_0758.doc
- Size
  
  114KB
- MD5
  
  a35d5eec842a0785f5b461da949b00cb
- SHA1
  
  fec56ecc489b226da672ecd31428a568b3e9dd2b
- SHA256
  
  1f2a609fdb89b7fda367578568a00f9739105c8a01202fd7c8784515be4bdd35
- SHA512
  
  fe60851ff0f43f0f55aac199dbe53a4de8a28e34732a4d83cca2d9f9820141f5dfbbfd7e5973e4c4226a16e1f4962395c9a97015dabe86a817f6970c2777ff82
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral3 behavioral4
- Target
  
  27-07-2021/27-07-2021/ETL_013265_601_0758.exe
- Size
  
  337KB
- MD5
  
  863073f13eba19c52ef95da414aa6d6e
- SHA1
  
  195ac3ae5de2823931a3a6d9f3d455d9b107cbe2
- SHA256
  
  977a7f6f9d32df5d74f58a8fefabda186f1b467a9ff25551ab2667e620c8d136
- SHA512
  
  60083a00b32fffed577944d94596e92e009ed882a10a54de83f7436a1118777582703fbdcf6677896c3e0840ce4deb9d857963df0122f112eaa783a61d2d6102
Score

10^/10

snakekeylogger keylogger persistence spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  27-07-2021/27-07-2021/FL_6110_32_75_21.docx
- Size
  
  23KB
- MD5
  
  182a5a29ec72c7c85f8e591f3018f84c
- SHA1
  
  bb1a1880958dfc7bd6b158244f8c70f9e4519c89
- SHA256
  
  d8b0149aca86d6e42663afdca70f90c3cbe9c9ab92a2f3dce4c511023da16b58
- SHA512
  
  ef01108b087508448ec47c6de75fedfe3db5504ce6b920a613b5665a56d981eb6eabb88a40e61203a11cf29965a1eb8468025a1e91b07876217ae882d6da7e0c
Score

4^/10
behavioral7 behavioral8
- Target
  
  27-07-2021/27-07-2021/IMG_1026001780541.docx
- Size
  
  18KB
- MD5
  
  7dfffb928a11a1609d6e211a4a185291
- SHA1
  
  20fd0c988d8507b2590cb3959d1d1a8c0d91b33f
- SHA256
  
  bfb18865baa2b888ffdb2ac40383f02e15eb1fc3f0af58a3af6910cf3bbf6be5
- SHA512
  
  0e455e70dc07a7a2521417d5a2f2fa047fbcef3a0260a17ed66f505d61e9a4eeb3e4e2ffeedf1e53a2fed65def123cb6ae5affb5a3e5329fc6b29247ac41c3fa
Score

4^/10
behavioral9 behavioral10
- Target
  
  27-07-2021/27-07-2021/Inv_7623980.exe
- Size
  
  957KB
- MD5
  
  ac0aafad021d642a83f0e0e00f925160
- SHA1
  
  9a225f4936ef458a3371e7681f942b7733d8eb25
- SHA256
  
  81cbdffd1b44ca983180456d058b8eaadf51adbd19600dbbde68be7a4ef09a54
- SHA512
  
  07683f8a9d789cc6e29a3ece064df8d9ba8e3d083a13c76cfeb669b75ecbfc0108669c3438a67fb9034a5fb98864680b6298d0c5506046f4d3581b08cb1d1504
Score

10^/10

xloader loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Deletes itself
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  27-07-2021/27-07-2021/New PO.exe
- Size
  
  922KB
- MD5
  
  5b65abb4776d7bae7624c3085a5a227a
- SHA1
  
  7eedb005b4e3a79aa4482f8fe04c16ee4490bfb6
- SHA256
  
  4f28687d01e29f37854b840c3f5f0fe2cd506c87d4f7b036bdddcd147dc2cbc3
- SHA512
  
  0950b2d6597edc91ca41f54c368dc2cef78827a5be23d056a90d2459639763929365cf926ff219a4884925e3ae79b360f55c98b8f909c34236890ac26f60fba6
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  27-07-2021/27-07-2021/ORDER LIST.exe
- Size
  
  1.0MB
- MD5
  
  acb2c77ec09e0f489a46d0444fd13722
- SHA1
  
  e1c634d2c126badf2653321cb8bf00a8fb0ac758
- SHA256
  
  4d5b7a00ca51272e234b450d592eaa7fead764c48374683aedc1ecb92959ac58
- SHA512
  
  305235b692ab46567e93fa43b05f84a1d01a17522deac2860219e2eb7857b99581c03ec0c6e4a784c2c3b92eba7b6700900ec5e08797d031d2f95381c9669c31
Score

10^/10

agenttesla agilenet keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  27-07-2021/27-07-2021/REQUEST FOR QUOTATION.exe
- Size
  
  971KB
- MD5
  
  e2995661e50a0417ea38b5b913c2c3e2
- SHA1
  
  98bb91436bb06e8fd972bf16cfd80b00c9f17fbf
- SHA256
  
  1c9886a480ebd5e6c337b744f50c83a7ec80960b4dfd1b879be4ea32c9851674
- SHA512
  
  b0c83d2858640b7fbb6906a299e8fa51a9ad78c48121d7edbab306771747aa52e3af95cd2521911f1d16f9cfba630f30625c05fb710f7f6eee77ffd6971817db
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  27-07-2021/27-07-2021/Remittance Copy 22-07-21.pdf
- Size
  
  22KB
- MD5
  
  aeafd0bee485a843ee4210ed01358720
- SHA1
  
  882368e6f101ad0f25264d6e437cb79c3d736ede
- SHA256
  
  e1665fd25b191c4151e161d52a2b8900d0786e06d684188f457041551bb5581d
- SHA512
  
  9d50892b4780f4bcebb556181391bc0fffdbe12b4325331f9d9f22c693012ce821d071573a74f9ea0bc708c154b9465f316168c7ef2c3ecd86b6be39bc95f915
Score

1^/10
behavioral19 behavioral20
- Target
  
  27-07-2021/27-07-2021/SWIFT COPY.exe
- Size
  
  856KB
- MD5
  
  3a1ea135a9c0052092eedfcabe68aed8
- SHA1
  
  74a913e85badf5a2e4deb3d2432968c45b7f33a6
- SHA256
  
  47330ca2aa141e11e54335dbf0eea19ebb923d0b5c3670b20ee051678d87b68a
- SHA512
  
  8c1191829862bffd20627d60b4087d1fdc0cda858de48cca42123123f8e3a2f3778d6e45c1438b3289f768681f4c624fe85a46a58de7bf53996eeea0897f318a
Score

10^/10

snakekeylogger keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger Payload
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  27-07-2021/27-07-2021/WE09858577444.BAT
- Size
  
  714KB
- MD5
  
  bc8b50b6a11269ee38311b3fa4df309f
- SHA1
  
  47b34c1e6c0be4009aa751eb3b9cf8f1e2fa31a7
- SHA256
  
  b1ec17858b3f2267763c44d569c272eafbae5ac893575a8a0db0cd066a42baf8
- SHA512
  
  d544330b4d45479ce5e0de455cf1416e0b19fbe811d8b6621a0d9dd0a3851372ac03d88d0c9f2fded7afce79ada6adca0687b8b3cfd62e5a8cf218c7baa36a3b
Score

10^/10

lokibot spyware stealer suricata trojan
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- suricata: ET MALWARE LokiBot Checkin
  suricata
- suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
  suricata
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  27-07-2021/27-07-2021/inquiry.exe
- Size
  
  633KB
- MD5
  
  2241793c4af10d980c06107b8b55c2f2
- SHA1
  
  7e2aa1cdb794b9e81170be270ce9ecc5f2c19187
- SHA256
  
  794e8844531d9ea6f37755360d429ed93827c79e77c7b5bf76ad08b4108549dd
- SHA512
  
  6ffebecf90b5455e5fefcd3488c1914ee104fa360a1f434e4f1d5a565be3483a122e34e9b572149e393212e36b5c18b0d7d1e8e5c0c6257c63611e697eb2b73d
Score

10^/10

xloader loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Suspicious use of SetThreadContext
behavioral25 behavioral26

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

Snake Keylogger

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Deletes itself

Suspicious use of SetThreadContext

AgentTesla Payload

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

AgentTesla

AgentTesla Payload

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

AgentTesla

AgentTesla Payload

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Snake Keylogger

Snake Keylogger Payload

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Lokibot

suricata: ET MALWARE LokiBot Checkin

suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)

Suspicious use of SetThreadContext

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14