Overview

overview

10

Static

static

1be4b81f65...bb.exe

windows7_x64

10

1be4b81f65...bb.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1be4b81f653a0a043c18a5507172f8a8fe30bea80a4ac8d6131853af9fe46ebb

  • Size

    124KB

  • Sample

    220521-b3922sgacq

  • MD5

    6a31f01180e6ba81424c680fe3a3a662

  • SHA1

    f6785d37cb8779dd5222397719464fc65d222b5c

  • SHA256

    1be4b81f653a0a043c18a5507172f8a8fe30bea80a4ac8d6131853af9fe46ebb

  • SHA512

    1f4ae8ffc9fbd4cd04c1c1c8187eed3eba3e96596ddb6c0a0733d735d38b619b1a020d59721ebcbca2c8c9f099208f83a2cfe18e5a9c2b4c324ec73c661cd17f

Score
10/10
agentteslaguloadercollectiondownloaderguloaderkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

guloader

C2

http://jkkn.ac.in/winwin.exe_encrypted.bin

xor.base64

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.qilonqchem.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    NUfMG!E2

Targets

    • Target

      1be4b81f653a0a043c18a5507172f8a8fe30bea80a4ac8d6131853af9fe46ebb

    • Size

      124KB

    • MD5

      6a31f01180e6ba81424c680fe3a3a662

    • SHA1

      f6785d37cb8779dd5222397719464fc65d222b5c

    • SHA256

      1be4b81f653a0a043c18a5507172f8a8fe30bea80a4ac8d6131853af9fe46ebb

    • SHA512

      1f4ae8ffc9fbd4cd04c1c1c8187eed3eba3e96596ddb6c0a0733d735d38b619b1a020d59721ebcbca2c8c9f099208f83a2cfe18e5a9c2b4c324ec73c661cd17f

    Score
    10/10
    agentteslaguloadercollectiondownloaderguloaderkeyloggerpersistencespywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • AgentTesla Payload

    • Guloader Payload

      guloader

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks