agenttesla | f090ea218b1b9efedee6bae4665c1066649dc0fb94542467a56ae5a0a2c693e0 | Triage

Submit
Reports

Overview

overview

Static

static

PAYMENT_CO...df.exe

windows7_x64

PAYMENT_CO...df.exe

windows10_x64

Sharing

General

Target

PAYMENT_COPY_ HSBC BANK_Pdf.exe
Size

38KB
Sample

211018-lkfetsecbk
MD5

98c0e8ae038031c7f5f210119c1b0b36
SHA1

e63bb6d9ebe904e805f93f86dba97f6eeb6a5cef
SHA256

f090ea218b1b9efedee6bae4665c1066649dc0fb94542467a56ae5a0a2c693e0
SHA512

951259982fec7ccb4bcdaf4993e85f89ac041f28bd1150616ae59e983b91b5565610d379016a920df7465c7721c41e509802b298eab61e1446b9d47fc84b8e3d

Score

10^/10

agenttesla limerat collection keylogger rat spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

PAYMENT_COPY_ HSBC BANK_Pdf.exe

Resource

win7-en-20211014

agenttesla limerat keylogger rat spyware stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PAYMENT_COPY_ HSBC BANK_Pdf.exe

Resource

win10-en-20210920

agenttesla limerat collection keylogger rat spyware stealer trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

limerat

Wallets

3AtEv1cfnjjwnaXZKwxd8fV5xh2sx5qNob

Attributes

aes_key
NYANCAT
antivm
true
c2_url
https://pastebin.com/raw/rmZm7wcd
delay
3
download_payload
false
install
true
install_name
575756.exe
main_folder
Temp
pin_spread
true
sub_folder
\windows\
usb_spread
true

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.meyaargroup.com
Port:
587
Username:
[email protected]
Password:
Meyaar@123$

Targets

- Target
  
  PAYMENT_COPY_ HSBC BANK_Pdf.exe
- Size
  
  38KB
- MD5
  
  98c0e8ae038031c7f5f210119c1b0b36
- SHA1
  
  e63bb6d9ebe904e805f93f86dba97f6eeb6a5cef
- SHA256
  
  f090ea218b1b9efedee6bae4665c1066649dc0fb94542467a56ae5a0a2c693e0
- SHA512
  
  951259982fec7ccb4bcdaf4993e85f89ac041f28bd1150616ae59e983b91b5565610d379016a920df7465c7721c41e509802b298eab61e1446b9d47fc84b8e3d
Score

10^/10

agenttesla limerat keylogger rat spyware stealer trojan collection
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- AgentTesla Payload
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Web Service

Credential Access

Credentials in Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslalimeratkeyloggerratspywarestealertrojan

behavioral2

agentteslalimeratcollectionkeyloggerratspywarestealertrojan

© 2018-2024

Terms | Privacy