agenttesla

General

Target

91a9b8b4efd545f376887077c700fb44409bdad0bfaf84d9d28a3ebd11a3e286
Size

612KB
Sample

220521-brjeyscch8
MD5

80753b97ca46377ddeee450c3577282c
SHA1

0a0219a43503d4cebbf3bcf1ca767d12d9cabcc2
SHA256

91a9b8b4efd545f376887077c700fb44409bdad0bfaf84d9d28a3ebd11a3e286
SHA512

89619d81a2280cb1b30bdab10dad14ad1a1e2d2452b6192ba9d472de50c1d2f0d87ce5286bff26cff738a06704acfc04f5000dcafab1559f4c5ad6dc0759559e

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.bnb-spa.com
Port:
587
Username:
[email protected]
Password:
hope2020

Extracted

Family

nanocore

Version

1.2.2.0

C2

donko.publicvm.com:1818

185.140.53.7:1818

Mutex

013ea0ab-fa70-4a72-af18-b76bb86764f5

Attributes

activate_away_mode
true
backup_connection_host
185.140.53.7
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-02-07T09:33:59.014454736Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1818
default_group
APRIL27
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
013ea0ab-fa70-4a72-af18-b76bb86764f5
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
donko.publicvm.com
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Targets

- Target
  
  RFQ# 33257 QUOTE 2page.exe
- Size
  
  373KB
- MD5
  
  b004b56de5deafd9a7aa3d5797351433
- SHA1
  
  110e1cc5237cb7988d40a1f64268238b5f0f2b2e
- SHA256
  
  80823066c678eb73f3b02c6da7335a2f911968da9315aa2db86e01bb01c50f92
- SHA512
  
  3e3a44e62deec3ad25e6d20abbd9f6f9f4a16d224b6dc10ebef6ea05b9806967f47e17573cc8f93fbe1ac7e0c8af744a8a4d7d3ed1aad876774a463ab6c4d41c
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  RFQ# 33257 QUOTE.exe
- Size
  
  286KB
- MD5
  
  8f7b7cf4cf5a95ac404d9f7e047293a2
- SHA1
  
  127013ff55defc437b41bc8442e7d2bb45c17f3b
- SHA256
  
  313519528c86c1ebd08c03ccc3a9640dcf4861c08313c89004113ee802568003
- SHA512
  
  4a76a8ba6b570f2857a145bad79812b739c5bba508bf16c206437d7bdca9ba1039d820683d144f2a23cef4347c276b4c00309f0b67f66ad2fc485cd5273d30c9
Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral3 behavioral4