agenttesla

General

Target

8631938776.zip
Size

2.2MB
Sample

221220-q62x6shg33
MD5

28ca4eec4057e688370b14454c4d49c5
SHA1

f8efd3b430b96287d9e730d320c08ffea5c222c4
SHA256

4e4f4660fec63972edddc6ade60509838ddf71edd1808543b20542b87afb0767
SHA512

8542640eccf4f34a37a1722ae5c49de061302a32cabd6705680f608035b3f0bb6345bec06e50f46312f6f29c41a60226ba893d192fad103d30b420eebc22d03e
SSDEEP

49152:scbpCsv5LwKWOCI9MM20VhX8arf4GaZlmXRCYKryFlVdi:mnVOz9MM20v74GaZkRbKuFlVM

Score

10^/10

Malware Config

Extracted

Family

wshrat

C2

http://newmoney2033.duckdns.org:5000

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.mktron.in
Port:
587
Username:
[email protected]
Password:
Avdhutm#108
Email To:
[email protected]

Targets

- Target
  
  DRAFT-COPY6979977-SHIPPING -DOCUMENT9696969.exe
- Size
  
  1.4MB
- MD5
  
  211ebc2eede41dbffd0cfa437ec6a32f
- SHA1
  
  e0c0d52cb266c517d84b759f2423fb6e1a93f337
- SHA256
  
  5b4db1bf348e86d6295c33248ec0a5085de36b830b1528ada92e9abf291f61c5
- SHA512
  
  9c1c501fe3b5b149594c7110d8c8b15013c5bb595a1aaf2b341e9a9fee7140848744e45697b59f48d2216eec04f3008c7247457847808c22298fd3a98a698ce3
- SSDEEP
  
  24576:JAOcZ5pO7jnAp0u8GFkfhadicVTc4T+ztkdtNBVQ70M/dj2qHLt:jlHAp5FkfhadicVJKztkXNjQ70MQqHR
Score

10^/10

wshrat persistence trojan
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- WSHRAT payload
- Blocklisted process makes network request
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  367d39225e302c70a6d40e4a577409056182175a4fa1b3978015aed03969ca25
- Size
  
  1.1MB
- MD5
  
  223023738f9ea16afc33e3f7eebc6fae
- SHA1
  
  c701f127eb9c8d7068b1df38b6bf2d8e90e46894
- SHA256
  
  367d39225e302c70a6d40e4a577409056182175a4fa1b3978015aed03969ca25
- SHA512
  
  90dca5836875d8aa23b38b301528814c5f8990ba5d4b6554c22d7f48d153376a80df848e597e7e55bda0dd226f29b8657789a84224ef13781a1270bbe9c6b451
- SSDEEP
  
  24576:D2aJI999d9T81a3JsoYd2iDrbwEcITDhMkA3HhNrlflRgBGnbzOQcvldO5SI:D2EfwOd2qrZ5nhMkA3HhNDKBPpXOwI
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4