agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

1.bin.zip
Size

12.5MB
Sample

220421-cy7xkahgcr
MD5

b0f9f99051935522de89e43cfab1f609
SHA1

c2749569ee7744fc7e03d149bec33bcf005ea5d9
SHA256

396007e9ec9b5959369bfbb175d43cf8f734140aad3075332da443c0cf733f50
SHA512

af9ede003f79402ef466b1cc81d842ea68949f0dcd146a181ed70517e27a2660decd05d64a547fce73faa26eb9354805545afe7a715d30381a4226b1a71310cf

Malware Config

Extracted

Family

gozi_rm3

Attributes

build
300869
exe_type
loader

Extracted

Family

gozi_rm3

Botnet

86920224

https://sibelikinciel.xyz

Attributes

build
300869
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Extracted

Family

raccoon

Botnet

7765746aa9cb9b6c88bb5a7789286d92b104fd16

Attributes

url4cnc
https://telete.in/blintick

rc4.plain

Extracted

Family

guloader

https://onedrive.live.com/download?cid=8D14D74EB13B02D0&resid=8D14D74EB13B02D0%21161&authkey=AAzCpAsT_Jf9zKg

https://drive.google.com/uc?export=download&id=1ELoiNSVTziaBatbVNZQWxal_RsriCCrt

http://ffacscs.ug/nw_kUILGeMGK73.bin

http://blockchains.pk/nw_kUILGeMGK73.bin

https://qif.ac.ke/flow_AoGPhiVz245.bin

https://onedrive.live.com/download?cid=46B98FE6F0D79519&resid=46B98FE6F0D79519%211842&authkey=ANcfRm-0LjxFJQY

https://drive.google.com/uc?export=download&id=11NAZslAWBWkK1b4dFviELvvgWl48QHr6

xor.base64

Extracted

Family

formbook

Version

4.0

Campaign

w9z

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

qakbot

Version

324.141

Botnet

spx129

Campaign

1590734339

94.10.81.239:443

94.52.160.116:443

67.0.74.119:443

175.137.136.79:443

73.232.165.200:995

79.119.67.149:443

62.38.111.70:2222

108.58.9.238:993

216.110.249.252:2222

67.209.195.198:3389

84.247.55.190:443

96.37.137.42:443

94.176.220.76:2222

173.245.152.231:443

96.227.122.123:443

188.192.75.8:995

24.229.245.124:995

71.163.225.75:443

75.71.77.59:443

104.36.135.227:443

Extracted

Family

danabot

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Targets

- Target
  
  1.bin
- Size
  
  12.5MB
- MD5
  
  af8e86c5d4198549f6375df9378f983c
- SHA1
  
  7ab5ed449b891bd4899fba62d027a2cc26a05e6f
- SHA256
  
  7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
- SHA512
  
  137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
Score

10^/10

agenttesla danabot dharma formbook gozi_rm3 guloader qakbot raccoon 7765746aa9cb9b6c88bb5a7789286d92b104fd16 86920224 spx129 1590734339 w9z agilenet banker botnet coreentity cryptone downloader guloader keylogger packer ransomware rat spyware stealer suricata trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot x86 payload
  Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
  botnet
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Gozi RM3
  A heavily modified version of Gozi using RM3 loader.
  banker trojan gozi_rm3
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- Raccoon Stealer Payload
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- AgentTesla Payload
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Formbook Payload
  rat
- Guloader Payload
  guloader
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

CoreEntity .NET Packer

Danabot

Danabot x86 payload

Dharma

Formbook

Gozi RM3

Guloader,Cloudeye

Qakbot/Qbot

Raccoon

Raccoon Stealer Payload

suricata: ET MALWARE FormBook CnC Checkin (GET)

AgentTesla Payload

CryptOne packer

Deletes shadow copies

Formbook Payload

Guloader Payload

Executes dropped EXE

Checks computer location settings

Obfuscated with Agile.Net obfuscator

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2