agenttesla

General

Target

[Schedule_&_Booking__18th_oct.exe
Size

525KB
Sample

211018-nn7plaedfl
MD5

4114e15de65a9ec4b8eacc3ef60804bb
SHA1

eb450264abe3b3ed70167f267cb974ea13d60260
SHA256

d81e35754aa34fb2fd0b850b4f1d8080a64a8408623303d3a8abecea5b0a30de
SHA512

256e27521a7008896808a798222025769a00aa155148e843a959c969bb9b7e369a4d57f5d1605fe4c1d1f0704c675df638eea032f602c51d1fb78e2af8e6805c

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.mail.ru
Port:
587
Username:
[email protected]
Password:
PxhrKDkvikRcSaP2dkv9

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

C2

grace.adds-only.xyz:1609

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
wHq4o3k6UfKZv19jkcxs
install_name
winrara.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Mutex

Attributes

encryption_key
install_name
log_directory
reconnect_delay
3000
startup_key
subdirectory

Targets

- Target
  
  [Schedule_&_Booking__18th_oct.exe
- Size
  
  525KB
- MD5
  
  4114e15de65a9ec4b8eacc3ef60804bb
- SHA1
  
  eb450264abe3b3ed70167f267cb974ea13d60260
- SHA256
  
  d81e35754aa34fb2fd0b850b4f1d8080a64a8408623303d3a8abecea5b0a30de
- SHA512
  
  256e27521a7008896808a798222025769a00aa155148e843a959c969bb9b7e369a4d57f5d1605fe4c1d1f0704c675df638eea032f602c51d1fb78e2af8e6805c
Score

10^/10

agenttesla quasar venomrat collection evasion keylogger persistence rat rootkit spyware stealer suricata trojan office04
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Quasar Payload
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- VenomRAT
  VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
  rat rootkit stealer venomrat
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- AgentTesla Payload
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2