agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

1.zip
Size

21.7MB
Sample

210730-jtchfaahb2
MD5

a9460cbeecd230ffdb2c22ae81409572
SHA1

8bb274360ff935d945b2a899fe9dc304e5c0a290
SHA256

031527224e74b82bf16e639c666134674ecc8a6e648fed2f68255617bd6a3b18
SHA512

efd0f21fd9e24225d240c74b03ba2ac734e47ebfc47c74e69fed6d77cebfe42a9838a54822d8de5e0cbba9daff6909ac4484f779d3842a156451a3eebc5a0a10

Malware Config

Extracted

Family

formbook

Version

4.1

http://www.constructioncleanup.pro/vd9n/

Decoy

theunwrappedcollective.com

seckj-ic.com

tyresandover.com

thetrophyworld.com

fonggrconstruction.com

hopiproject.com

sktitle.com

charlotteobscurer.com

qjuhe.com

girlzglitter.com

createmylawn.com

hempcbgpill.com

zzdfdzkj.com

shreehariessential.com

226sm.com

getcupscall.com

neuralviolin.com

sanskaar.life

xn--fhqrm54yyukopc.com

togetherx4fantasy5star.today

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.badonfashoin.com/
Port:
21
Username:
[email protected]
Password:
kKsIA9XNV2zG

Extracted

Family

xloader

Version

2.3

http://www.ker-huella.com/synv/

http://www.inverservi.com/m6b5/

http://www.panyu-qqbaby.com/weni/

Decoy

hareemshareem.com

aromaticus.club

sakabay.com

ebtedaieeduone.com

goodyertirerebate.com

mehmeterdas.com

everestjsc.com

eqtclub.com

ahlcide.ovh

snifu.com

grinabrasive.info

ijustwannablog.com

eng-in-use.com

mo-ip.group

beautynblackbody.com

presto-eng.info

jarah24.com

marigoldbrewery.com

onpointcomprasbrasil.com

cdrh-consultores.com

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Targets

- Target
  
  Order.exe
- Size
  
  184KB
- MD5
  
  b48a1b6628f1f941e506d15013a72619
- SHA1
  
  4d6a9fb6ad5aa1b53440c2eb0806602fc164b0a2
- SHA256
  
  cf540119b481ff1a73efd8f50bc5942faaa46e79f9cb78d06b2b993ef4c921a4
- SHA512
  
  c74f5fb663cd9e34c234a78884a30399825ed4211d5c1a795bebc6fa2546ae02ba9ddf24e648fd251ac5a265131cd645855483aeb411892367858ac2a571f6be
Score

5^/10
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  ????? ?????? ????#454326_PDF.exe
- Size
  
  899KB
- MD5
  
  8ffb5b1aba6759d623f20a9744de4dd0
- SHA1
  
  969a580a9e874f8e5a38d7fb4db664be1aa35ce5
- SHA256
  
  8674688f673421c41dd39734f690c3b1b0aa8aceb5adeb057cf8b21d8f2e41a6
- SHA512
  
  3713871db07036eca5846ca681432e63dbf1951a47186c1f8458a3395da57b53ab796f5b44025bb277cb6f281fecf401d090bc8618fa72b9ea20fce8991a538c
Score

10^/10

formbook rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Formbook Payload
  rat
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  87597.exe
- Size
  
  704KB
- MD5
  
  7e19235ca4a6192bdace52baa0a40d26
- SHA1
  
  1ac8aa96052b0da4f7d1072ca8fee01ade2e9f71
- SHA256
  
  ed762437d06ffae4d27baec39379997d8acf7ae6e6e758611793f3fb2fafcee1
- SHA512
  
  a67be81bf2487babe021184427d47004791fca072b93ea61efa40d81680132ffcbd96cd78a00a8f316be50d5308ce1d5f2b29dc19be32e91a74a65a63c7705a0
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670
- Size
  
  2.5MB
- MD5
  
  20f44573ee6dea2e3b5935c6b1b979db
- SHA1
  
  4c7429743c92dddb6929931585de25eebf1792cb
- SHA256
  
  29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670
- SHA512
  
  8c96de16c6cf01b351eff07585c0063167f9d1695510b2a1701ced7fd45aa8c34d101d5cc1e785306daf6c9f4ab9fedd7898608b92468f9483ce44637015aa0b
Score

7^/10

spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral7 behavioral8
- Target
  
  2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e
- Size
  
  887KB
- MD5
  
  040cca91f06819461187ad57faa81f30
- SHA1
  
  51b4261aa8c7a475ca9223d4dfddc19a2720096f
- SHA256
  
  2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e
- SHA512
  
  b95e41af609572c7e1de13f03abc9779b00cbc7fc4587345ad1a6259baec08a82e11d8e66e02f11049946dcef6620dcc50d9d9fa120e476eb571698718e4bc80
Score

10^/10

xloader loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader Payload
  rat
- Suspicious use of SetThreadContext
behavioral9 behavioral10
- Target
  
  RICHIESTA DI OFFERTA.exe
- Size
  
  236KB
- MD5
  
  73bb5c4b690b8d6df88d6bc18fb3a553
- SHA1
  
  60adddd91b6038fc9d819cf6d647ce3be0b11d38
- SHA256
  
  a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
- SHA512
  
  9c023dc66d9bcfb2f5bc0274001d92948ac058fc8765d2178907dfd8fb9885ede57acc3836d583ad97516dce1a97c50f081800b41a1f42ea938efb8b23e87567
Score

10^/10

guloader downloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
behavioral11 behavioral12
- Target
  
  39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c
- Size
  
  846B
- MD5
  
  351b843f627dad02a1e21178f29b59ab
- SHA1
  
  801db68232be9a0d7b89a834a18d0d1ecf4cdeea
- SHA256
  
  39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c
- SHA512
  
  9c3adc2f1251223b1e0dd1ce983dcb0e4a86c5b3abc7880b4028b1e5d9e8d9c59a394e2b0638eaea2aa9dd84c2d49a0ff775a1558bcfee4c3c9443481d0c46a0
Score

1^/10
behavioral13 behavioral14
- Target
  
  3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b
- Size
  
  1.1MB
- MD5
  
  1ee5c7e3b59f02fef1b0f793d2196afd
- SHA1
  
  3f1a1ce12dec33f946079a532ccda8e0c72f2c7c
- SHA256
  
  3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b
- SHA512
  
  0d106c3451f88ed8f27abe47917c4ba4b25706df623f3a0879c5a67c09a269a48b35b94ca25fc2cb7447be75a7e05cbf5464f4c1aff80224c20f263d321387be
Score

5^/10
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec
- Size
  
  35KB
- MD5
  
  99551779549809d289d12efa5ac43e4e
- SHA1
  
  66b5b7aa0264b12e24f37388330a60991de3146a
- SHA256
  
  53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec
- SHA512
  
  46c3e62d314c028ff812d299ed54e0cc8602422d462d58e35a1ea92b020cddb1700cfb91f339729b4018cd3cac7eb2268c5e0d5599f6a15f21d663626e2a2afe
Score

1^/10
behavioral17
- Target
  
  685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03
- Size
  
  2.2MB
- MD5
  
  9882d9bb0a03a191d8ba9b4bc9c254c5
- SHA1
  
  23bbe2b78cfb4d2c1232fb48bda0dc1ea30222d6
- SHA256
  
  685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03
- SHA512
  
  c3d683b765eb78dd21105096da079720a4b3abf717cb170b88059e900bd3749caf8002f125e7a0d6e4be2f4f703a5267d951af565eb4ba2a635d0233a8fdb6cc
Score

10^/10

bitrat trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- BitRAT Payload
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral18 behavioral19
- Target
  
  6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
- Size
  
  4.6MB
- MD5
  
  eaee663dfeb2efcd9ec669f5622858e2
- SHA1
  
  2b96f0d568128240d0c53b2a191467fde440fd93
- SHA256
  
  6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
- SHA512
  
  211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
Score

10^/10

servhelper backdoor discovery exploit persistence trojan upx
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Blocklisted process makes network request
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Sets DLL path for service in the registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Modifies file permissions
  discovery
- Drops file in System32 directory
behavioral20 behavioral21
- Target
  
  73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0
- Size
  
  835KB
- MD5
  
  7c81e999e91d1d0f772010dfa4c34923
- SHA1
  
  76caadc92346688b50a408b6c48017563a24844f
- SHA256
  
  73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0
- SHA512
  
  ee5777aafc4b568465b85322ba6ffcf0a38ecadde6274a2e4fdf440cf2ea061762a4b07eeb9a5b40b61d8bf3dab91871715bc5e64da74768f0be342b1f79ae27
Score

3^/10
behavioral22 behavioral23
- Target
  
  Inv_7623980.exe
- Size
  
  829KB
- MD5
  
  b20d9ced5d063ec28425551a520ac59d
- SHA1
  
  f6bfd3346ed28ef6ed5e45d89f6b1f89d8296b0f
- SHA256
  
  3ad516ed1d59d2a83e03dd014de474999c1d20885639cd2f77c1108c636636df
- SHA512
  
  2bbfa0ab4ef7132e5740e54d1fcacb35fdbea4a89b5208f42b4660377f5e18f7a09cad7c589d3a1c3b02d06228ba8b3cb02d6f32b0fcf18b71f23c0e367c48d4
Score

10^/10

xloader loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Suspicious use of SetThreadContext
behavioral24 behavioral25
- Target
  
  8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8
- Size
  
  1KB
- MD5
  
  c3bc357d17e8b2403ce323807e75911a
- SHA1
  
  4b37b7afbadab1bbdac7e43fb283f7180e47ea1d
- SHA256
  
  8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8
- SHA512
  
  463b9dd8f7d8006ec0f28b9383357904b3caeeaf1792e1127be011b20f1ee0c49ca422c4ed7fbfed60fad83bfff5d6728da43e68b4863d6032b7866e162b9c86
Score

8^/10
- Blocklisted process makes network request
behavioral26 behavioral27
- Target
  
  USD $.exe
- Size
  
  1.0MB
- MD5
  
  7098068c07032900ff073b55a8ad8e0b
- SHA1
  
  5bdda0bc06b935689f29d55b297d0523d82c6bfa
- SHA256
  
  2d7aac32ea8a8329262ead70ec2f030c1a4061e4edafdf03e605bb9ce606836e
- SHA512
  
  c5568a37cd6cfa600af5742acd1143d434035e2b5d7caa515ccbf182c6f72030e28a3562ee9f5e9341bcc5aeef45f498434fb8ff6835bc07c04220440d0aaf39
Score

10^/10

xloader loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Suspicious use of SetThreadContext
behavioral28 behavioral29
- Target
  
  91d079d9371fa53227e4bb2207ba4d3aa4733feee607773b696779c5e87846b9
- Size
  
  400KB
- MD5
  
  315c3439a84941a3da05b9b09752dd5f
- SHA1
  
  ef24cc39f3f75c879d819480831541f12273f9f0
- SHA256
  
  91d079d9371fa53227e4bb2207ba4d3aa4733feee607773b696779c5e87846b9
- SHA512
  
  78229f409f4cdf93b87153325e37460855363eac92a84193d5aa82a6121c538d89e77c0da0dac977fbe3f8dc43482f560831ce2384e68268c8c99beb1d71d4ff
Score

1^/10
behavioral30 behavioral31
- Target
  
  9706247fdb847874ca3fad6229787e37299be25d938af865a8e5b132bf313b89
- Size
  
  551KB
- MD5
  
  6382174601bf02a6f9b09303d4c7febf
- SHA1
  
  6af4c812ba7acc3e5a7237f4dfd7e013915aeda7
- SHA256
  
  9706247fdb847874ca3fad6229787e37299be25d938af865a8e5b132bf313b89
- SHA512
  
  62a24678c137367416613c34a4c7568a2323f264da5f59555a63d54b1b33ffbc94fd1d8c910c799383a91769809b72ebd0e0e61f617e1a784bcd4115d1098132
Score

1^/10
behavioral32

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Desktop Protocol

T1076

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Suspicious use of SetThreadContext

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Formbook Payload

Suspicious use of SetThreadContext

AgentTesla Payload

Adds Run key to start application

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Xloader

Xloader Payload

Suspicious use of SetThreadContext

Guloader,Cloudeye

Suspicious use of SetThreadContext

BitRAT

BitRAT Payload

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

ServHelper

Grants admin privileges

Blocklisted process makes network request

Modifies RDP port number used by Windows

Possible privilege escalation attempt

Sets DLL path for service in the registry

UPX packed file

Loads dropped DLL

Modifies file permissions

Drops file in System32 directory

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Suspicious use of SetThreadContext

Blocklisted process makes network request

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31