agenttesla

General

Target

Fedteradsens.vbs
Size

320KB
Sample

221222-qjxpyaee53
MD5

9e28bb88afaaf6f6c8e23d3b5f3b3721
SHA1

8e76a37f314eee4fb2c8eb82c32de2e81d1851dd
SHA256

067775099e8349a39928c3513c29a8f1910da84c60b11d33e83e7484ea9ba2da
SHA512

6b2cf5f6fbf57c6f163b1a563e8f568ba8a55970bb64ca7f4db0d37a4b20fa8d6149d2ba3303bdf39f04c53b54fa3c9185b188a4e8bce71ba713f7aec46f2134
SSDEEP

6144:7zElTw6iCG/7yf4ExFv3nWDVl97jPE4/x6337hDNkQm5/dUDJa6:uaCG/7jE/v3nuz7jnozk0U6

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.mpmhino.com
Port:
587
Username:
[email protected]
Password:
mpmpabelan123
Email To:
[email protected]

Targets

- Target
  
  Fedteradsens.vbs
- Size
  
  320KB
- MD5
  
  9e28bb88afaaf6f6c8e23d3b5f3b3721
- SHA1
  
  8e76a37f314eee4fb2c8eb82c32de2e81d1851dd
- SHA256
  
  067775099e8349a39928c3513c29a8f1910da84c60b11d33e83e7484ea9ba2da
- SHA512
  
  6b2cf5f6fbf57c6f163b1a563e8f568ba8a55970bb64ca7f4db0d37a4b20fa8d6149d2ba3303bdf39f04c53b54fa3c9185b188a4e8bce71ba713f7aec46f2134
- SSDEEP
  
  6144:7zElTw6iCG/7yf4ExFv3nWDVl97jPE4/x6337hDNkQm5/dUDJa6:uaCG/7jE/v3nuz7jnozk0U6
Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Checks QEMU agent file

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2