agenttesla

General

Target

SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe
Size

134KB
Sample

220927-j7vrxschh2
MD5

fa642af59bc3f678e8c64942de1ea1b5
SHA1

cb5a9a2b97969938efffe74a2961936853239a04
SHA256

698dee67ffc5a82e25e75e3adb337b0d4869d2c2f5ff1362c4b8ef881ac84f54
SHA512

c03a62db947abe6f2994df3c54b6e6322dd07a9e4c843b8821495579f51deec5ad038fae580d2733da0350e691111f6ad07f875a91c85216566a126c4ef715e1
SSDEEP

3072:tNRCywDw1DiJkupabH2rCcSla0qN/vwfFfdLQ861CxBbFhnQ7Cx:tT4DtyWrCjlSSB61CxQ

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.overviewsupplies.com/
Port:
21
Username:
[email protected]
Password:
w[3c2r?B,Of+

Extracted

Credentials

Protocol: ftp
Host:
ftp.overviewsupplies.com
Port:
21
Username:
[email protected]
Password:
w[3c2r?B,Of+

Targets

- Target
  
  SecuriteInfo.com.Gen.Variant.Nemesis.8199.18591.exe
- Size
  
  134KB
- MD5
  
  fa642af59bc3f678e8c64942de1ea1b5
- SHA1
  
  cb5a9a2b97969938efffe74a2961936853239a04
- SHA256
  
  698dee67ffc5a82e25e75e3adb337b0d4869d2c2f5ff1362c4b8ef881ac84f54
- SHA512
  
  c03a62db947abe6f2994df3c54b6e6322dd07a9e4c843b8821495579f51deec5ad038fae580d2733da0350e691111f6ad07f875a91c85216566a126c4ef715e1
- SSDEEP
  
  3072:tNRCywDw1DiJkupabH2rCcSla0qN/vwfFfdLQ861CxBbFhnQ7Cx:tT4DtyWrCjlSSB61CxQ
Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan collection
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Guloader,Cloudeye

Checks QEMU agent file

Loads dropped DLL

Accesses Microsoft Outlook profiles

Checks installed software on the system

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2