agenttesla

General

Target

SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe
Size

105KB
Sample

220920-kybhcsgahn
MD5

ac4b11253fd63a6f272bf10dabdbfb01
SHA1

1892479a8d6b58642f57514b6bbd29ab4f7e5e62
SHA256

7e7e4ddcd61df737e689389da1b59df402521f3310ad402c0696b97cf6ce3a20
SHA512

34b90fb700e609065b1e0ecf8eaa3fa5f33ed470e8dd58b03874de808bbae304e52ac5c0f81c93e9ec798dcf6009cc76433899743fef8ea4db1fdb0fb9f60511
SSDEEP

3072:Us+LplNxNXz3lxRXJWfH1lzsf+BaMPEGNXA8rD:UsKxNX1AP14xA7NXjv

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.overviewsupplies.com/
Port:
21
Username:
[email protected]
Password:
w[3c2r?B,Of+

Extracted

Credentials

Protocol: ftp
Host:
ftp.overviewsupplies.com
Port:
21
Username:
[email protected]
Password:
w[3c2r?B,Of+

Targets

- Target
  
  SecuriteInfo.com.W32.Injector.FIHC-3037.22773.exe
- Size
  
  105KB
- MD5
  
  ac4b11253fd63a6f272bf10dabdbfb01
- SHA1
  
  1892479a8d6b58642f57514b6bbd29ab4f7e5e62
- SHA256
  
  7e7e4ddcd61df737e689389da1b59df402521f3310ad402c0696b97cf6ce3a20
- SHA512
  
  34b90fb700e609065b1e0ecf8eaa3fa5f33ed470e8dd58b03874de808bbae304e52ac5c0f81c93e9ec798dcf6009cc76433899743fef8ea4db1fdb0fb9f60511
- SSDEEP
  
  3072:Us+LplNxNXz3lxRXJWfH1lzsf+BaMPEGNXA8rD:UsKxNX1AP14xA7NXjv
Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan collection
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Guloader,Cloudeye

Checks QEMU agent file

Loads dropped DLL

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2