agenttesla | fe9186c1d8ba97ae6f65152b962c365f55739d010e444e03364a26e4e6009bf2 | Triage

Submit
Reports

Overview

overview

Static

static

CI-OMG200602.exe

windows7-x64

CI-OMG200602.exe

windows10-2004-x64

Sharing

General

Target

CI-OMG200602.exe
Size

375KB
Sample

221231-dvra3scc8z
MD5

485240e3236bb5fb9f4592684b9f912e
SHA1

cdff2f67dff804cdccbda85a667847009c9c52c6
SHA256

fe9186c1d8ba97ae6f65152b962c365f55739d010e444e03364a26e4e6009bf2
SHA512

5c68d7f9c78adb34bd5e3b7767dfe9c5dcad9c23e402d35ced6e13bfadc7791549ff00f855fa2b92d002aeafdc8ccb4c1d015f6f91b105a404b17c51411fee45
SSDEEP

6144:Q4t6LsOB/OKpXK7tP2yFVV12wf69+7vWK8LEPdukN/7bon4KwHkfgtss0CNIyOFZ:QkOB/OKYO+fUYvWbEP7hbon43Hkfgts/

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

CI-OMG200602.exe

Resource

win7-20220812-en

agenttesla guloader collection downloader keylogger spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

CI-OMG200602.exe

Resource

win10v2004-20221111-en

agenttesla guloader collection downloader keylogger spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  CI-OMG200602.exe
- Size
  
  375KB
- MD5
  
  485240e3236bb5fb9f4592684b9f912e
- SHA1
  
  cdff2f67dff804cdccbda85a667847009c9c52c6
- SHA256
  
  fe9186c1d8ba97ae6f65152b962c365f55739d010e444e03364a26e4e6009bf2
- SHA512
  
  5c68d7f9c78adb34bd5e3b7767dfe9c5dcad9c23e402d35ced6e13bfadc7791549ff00f855fa2b92d002aeafdc8ccb4c1d015f6f91b105a404b17c51411fee45
- SSDEEP
  
  6144:Q4t6LsOB/OKpXK7tP2yFVV12wf69+7vWK8LEPdukN/7bon4KwHkfgtss0CNIyOFZ:QkOB/OKYO+fUYvWbEP7hbon43Hkfgts/
Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

behavioral2

agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy