agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

4.zip
Size

29.8MB
Sample

210730-6ce6t59st6
MD5

ce09fd86f48ca550598456136c3878df
SHA1

3483bacb0ca5f7a36ddbf0a60268fa5b09bf4334
SHA256

2214bdc78b558176a17484bcc02079a5470e0b49073d50d19b522d67dc4396e3
SHA512

9277d9265eeadf617dec8a96faa2986cbc4354bbeabad544679f18b4537fba6c2c4889da51a538ccf0de5fa7717ab5e2e534476a5381dca268c3e3ba9a498d11

Malware Config

Extracted

Family

gozi_ifsb

Botnet

2500

todo.faroin.at

apr.intoolkom.at

r23cirt55ysvtdvl.onion

kas.kargoapp.at

io.feen007.at

gtk.uploner.at

l46t3vgvmtx5wxe6.onion

pop.biopiof.at

free.monotreener.com

tb.yapker.at

app.flashgameo.at

Attributes

exe_type
worker
server_id
580

rsa_pubkey.plain

serpent.plain

Extracted

Family

azorult

http://cskbtr.atspace.co.uk/my_profile/res/

http://185.189.151.50/7yhnm434/index.php

Extracted

Family

warzonerat

sdafsdffssffs.ydns.eu:6703

dfdgdsasedw.ydns.eu:34566

Extracted

Family

snakekeylogger

https://api.telegram.org/bot1846926808:AAGk2IzxSb5N5fdYKiaTr2kIA9QAdWBcb1Y/sendMessage?chat_id=1407381447

Extracted

Family

redline

Botnet

ytmaloy6

46.8.19.196:53773

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.gilanis.co.ke
Port:
587
Username:
factory@gilanis.co.ke
Password:
Mullardodo@#

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://hutyrtit.ydns.eu/microF.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

httP://136.144.41.61/fresh.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

vidar

Version

39.7

Botnet

517

https://shpak125.tumblr.com/

Attributes

profile_id
517

Extracted

Family

vidar

Version

39.6

Botnet

921

https://sslamlssa1.tumblr.com/

Attributes

profile_id
921

Targets

- Target
  
  0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
- Size
  
  131KB
- MD5
  
  24c6336158943b9759bdd1f3da937bff
- SHA1
  
  b74fa33293f90edbacfae008ed5691efa1470523
- SHA256
  
  0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
- SHA512
  
  8a4c9b2bfd63bdc050dafdf6b7f6411dcfe641037a4587249f5de0704f7733a2c44dfb0457810b8a7191911396fb4f81b069636f602a00254729d2dd76e3b9a7
Score

1^/10
behavioral1 behavioral2 behavioral3
- Target
  
  219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0
- Size
  
  135KB
- MD5
  
  164076414dd3be991ebc9d4d17101296
- SHA1
  
  0fa986a6834c79eb1b756b1a05954d96a770e4d7
- SHA256
  
  219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0
- SHA512
  
  16e004f19d1466142d190094f7dfa0a89e61b45f1e1e161822fb0934635dfd514bf00c4020bfa6fbf2f177c1491f528be9f66fcc15f6f1ca1ecc897d01cd9d21
Score

10^/10

azorult infostealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral4 behavioral5
- Target
  
  2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03
- Size
  
  816KB
- MD5
  
  069c9912fa773cada0e357556182f089
- SHA1
  
  4f3e4f2d9b361b5747baeeb0178908a2f8d3339c
- SHA256
  
  2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03
- SHA512
  
  3b85e7cdb73249739fd232528a2ad8ed8877e13aa5f076dcc7cde9b5f0fc2c6e46b015533a7a091ac680d46fc9d0b3bf81ce9a330d1400c94c34ada5551d7592
Score

10^/10

warzonerat infostealer persistence rat spyware stealer snakekeylogger keylogger
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral6 behavioral7
- Target
  
  36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0
- Size
  
  218KB
- MD5
  
  760ae5e7793de36ae8159fc128687577
- SHA1
  
  0b1e5bd4e2cf0888d66350ecd4bcecf7f950acee
- SHA256
  
  36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0
- SHA512
  
  ca9d592d86feecafb557ae5422eff45020863b38fc5c36ed32c9381fd2f154a0125f77ed76cc1f1ea3aef04e4874ca36bc2da6d1f634f1ad6d4dfbc7a64f9f30
Score

10^/10

redline ytmaloy6 agilenet infostealer
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Suspicious use of SetThreadContext
behavioral8 behavioral9
- Target
  
  4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65
- Size
  
  941KB
- MD5
  
  59e2fd2ce7f30f5e5bd8300cd86dab47
- SHA1
  
  bbc0545dcfb7e5f2fda1e46f82054b9e4ef2f599
- SHA256
  
  4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65
- SHA512
  
  ab93fcb95cd0727d19235e50da9bebd7cf83caebe06d74b77d6daa7ede83d82c16bb5756f8c50dbd52b8b8d80a89c346f5d1858eaf5adce6103e0ad10c83a880
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Drops file in Drivers directory
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral10 behavioral11
- Target
  
  42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895
- Size
  
  236KB
- MD5
  
  72d9c62e4483519df1303fe0c46d16aa
- SHA1
  
  12093edc01bcf89eb7a9758d1392592fb273de35
- SHA256
  
  42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895
- SHA512
  
  cf6d6c1a6072c022ab4d19f098715cba02f8dcc74f01ce7ad735d5cdb5c7505aeb9c98fb9ff3faac7932ffbdb7cdf581c583fa846cc76b71dee3f2a71b7b30a0
Score

10^/10

guloader downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
behavioral12 behavioral13
- Target
  
  52969fae09c2428c701a8b51a20c1eb07bab1bca79acb21eaa910d764533155d
- Size
  
  1.0MB
- MD5
  
  28463ecd87dbf6503d58e158785965ac
- SHA1
  
  12c8088fc0ac36692e9067a1e28c1ef7bf46de46
- SHA256
  
  52969fae09c2428c701a8b51a20c1eb07bab1bca79acb21eaa910d764533155d
- SHA512
  
  fa9ad0f8a0de9120e0e6439548f7c3c2c22399b06818e3baaacb0ed5306610a385c594a7c7a763509e47bcfa0aa105c9480ebd37f810b7e756eff17697051061
Score

10^/10

warzonerat infostealer persistence rat spyware stealer
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral14 behavioral15
- Target
  
  571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931
- Size
  
  4.7MB
- MD5
  
  a5ce2653f5f74c7ba7901f79cf9932a5
- SHA1
  
  a6e4e0070694b6779627643c18850b9a16d047ee
- SHA256
  
  571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931
- SHA512
  
  4b7d5662483e78b98841f25b61e5019424cf99e24ca7b7c87c011a0ca406b9cb8d0360aa42a260e2bdb5d1f731faddb726c13de13d8c6f6ef830f93c0da081a3
Score

10^/10

azorult infostealer suricata trojan vmprotect
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1
  suricata
- suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
  suricata
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral16 behavioral17
- Target
  
  57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752
- Size
  
  662KB
- MD5
  
  47a5e618c809f1f37bccced9d3536deb
- SHA1
  
  da3a6f5851537edffcc29e9bf4282d552090ce6e
- SHA256
  
  57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752
- SHA512
  
  0d4f429f517b2d2045ef32e3a8e3f86b9a250e7f666398d88409a9a56e2a155baef2decf3c167941cd7da28b503241a6f9553d3ca06094bb965781097cb7a18c
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
behavioral18 behavioral19
- Target
  
  662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a
- Size
  
  811KB
- MD5
  
  40cc8249b0f31d6e1c0065aab24007b1
- SHA1
  
  f73e02ad09976ade8985ec833c5743dc387c9687
- SHA256
  
  662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a
- SHA512
  
  0d7cc1d3bd30c7c5d2b549c5dd9fe332b95b5947637e8b00fd0790ff4ee6bb222fa3267b60779782a3f1c18e28b1f004f321008fc018c986db36fe37dc44d351
Score

10^/10

warzonerat infostealer rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral20 behavioral21
- Target
  
  70d5a71e821c8024fa2d5fb8a389390acc1289b88745fad61b6536cab0bd5191
- Size
  
  240KB
- MD5
  
  6a30baaf46fc33081f84b1cb3d552b2b
- SHA1
  
  1a394fa6e1d2cabc575c31dfce4cada7b8b3eb65
- SHA256
  
  70d5a71e821c8024fa2d5fb8a389390acc1289b88745fad61b6536cab0bd5191
- SHA512
  
  e88c72878c960856f245b4705cf65e9d7e7c3f26b7ba0fdc2693bf759c757ac7b8396e53493d654ea753b2edb40b70f3ff0e8d6ffdafb7384dbeb7795996d3a7
Score

1^/10
behavioral22 behavioral23
- Target
  
  71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386
- Size
  
  748KB
- MD5
  
  44020c86a10168041f6ddde52fd3f4d4
- SHA1
  
  0dc9cf42fb0b5670d54307c9eb41cbc43bd66454
- SHA256
  
  71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386
- SHA512
  
  163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b
Score

10^/10

snakekeylogger warzonerat infostealer keylogger rat spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral24 behavioral25
- Target
  
  79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
- Size
  
  9.2MB
- MD5
  
  5e12e56a643c71b913ea60f48f28726d
- SHA1
  
  8fd9ef3e15b545335c9cf8a16e7d49bdedc7b6fd
- SHA256
  
  79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d
- SHA512
  
  807888068394b8072d607a83b7a181f5018c21c1efd2b8ae433ac59dc28bfbec23e1b13d8b6a2447a3ff8bb9b7ecd71d4d7bff55903a2d23a60b817142c9bae3
Score

10^/10

servhelper backdoor bootkit discovery exploit persistence trojan upx
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Modifies file permissions
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral26 behavioral27
- Target
  
  83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3
- Size
  
  708KB
- MD5
  
  b2a93feb45e2d76bdfc83c623a14d5bf
- SHA1
  
  f39c5e92adb9ba4602d8973cc286ab265f11d137
- SHA256
  
  83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3
- SHA512
  
  db93fcade10ff3b4291d6337acdb9a675e178154d98c1feb5f5c63e814edd08a37cfcab0140a6e0b84e5013127a93c8c4c4249c5d669a148fb0caf65575c66a5
Score

10^/10

vidar 517 discovery persistence spyware stealer suricata ransomware
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- Vidar Stealer
  stealer
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral28 behavioral29
- Target
  
  8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0
- Size
  
  2.2MB
- MD5
  
  4b367c52435f4a834d04797267f84240
- SHA1
  
  0cfe62030093baf55769d3d33f024ffdde5417b3
- SHA256
  
  8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0
- SHA512
  
  a520b430f686b073d744f262411395231bab5093ea0c95d6fe6400ce1d761cb443b43ec8999f12926186f72cfcba371c2b44c9c3ff09125009e90633bafdd598
Score

10^/10

vidar 921 stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar Stealer
  stealer
- Suspicious use of SetThreadContext
behavioral30 behavioral31
- Target
  
  a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
- Size
  
  236KB
- MD5
  
  73bb5c4b690b8d6df88d6bc18fb3a553
- SHA1
  
  60adddd91b6038fc9d819cf6d647ce3be0b11d38
- SHA256
  
  a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
- SHA512
  
  9c023dc66d9bcfb2f5bc0274001d92948ac058fc8765d2178907dfd8fb9885ede57acc3836d583ad97516dce1a97c50f081800b41a1f42ea938efb8b23e87567
Score

10^/10

guloader downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Scheduled Task

T1053

Account Manipulation

T1098

Bootkit

T1067

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

Azorult

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Snake Keylogger

WarzoneRat, AveMaria

Downloads MZ/PE file

Executes dropped EXE

Sets DLL path for service in the registry

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Modifies WinLogon

Drops file in System32 directory

Suspicious use of SetThreadContext

RedLine

RedLine Payload

Obfuscated with Agile.Net obfuscator

Suspicious use of SetThreadContext

AgentTesla Payload

Drops file in Drivers directory

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Suspicious use of SetThreadContext

Guloader,Cloudeye

Process spawned unexpected child process

WarzoneRat, AveMaria

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Sets DLL path for service in the registry

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Modifies WinLogon

Drops file in System32 directory

Suspicious use of SetThreadContext

Azorult

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Process spawned unexpected child process

Blocklisted process makes network request

WarzoneRat, AveMaria

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Snake Keylogger

WarzoneRat, AveMaria

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

ServHelper

Grants admin privileges