agenttesla

General

Target

eb3736303989c50cc32eef01676ad77603e0fc8ce2b15f6115de4d4ac526486d
Size

72KB
Sample

230206-dz8e6afc8x
MD5

e9d3edfc2d537d9a833ede05e31b9dca
SHA1

0e16ffe93f94b0e8fb6cf7ec0226a389b38b21e3
SHA256

eb3736303989c50cc32eef01676ad77603e0fc8ce2b15f6115de4d4ac526486d
SHA512

f741d0ba00907791198022e96fcea04f93a711481128631a1f9078423fd706f17d7c50d4a46e93b4605f3a19d6a8c9fd1c8e9c4687949f8d7e5fe4d28eac3095
SSDEEP

1536:CHzq0DVY6OFQVIwkRmPuVubhxvjvjL8Zm870AF00bWxCvS6h:OmoYjQVf2VqfXAM8gA20C0

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://megookbpnq.cf/Stille.sea

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5350270151:AAHiqzi7CQnEGEk3Xi-PyJX8ov0x6B-8S1I/

Targets

- Target
  
  Bank Detail.vbs
- Size
  
  133KB
- MD5
  
  e3f36e6188ed8fab3958b0ec4db8c252
- SHA1
  
  ddf1653f407849c441d2fe0c752dc838789fa93b
- SHA256
  
  e5e5e0dd3fbadb5e8c7632d515ad30182d68e9290f5b037c52d07b91cb2808aa
- SHA512
  
  c181926061be5cd09076971ed7c6076ec42e9a8f009c356b13e649f1ce345e590fb3550e16f284cc62fa7fc52ba6d1daa41d9b7c84cb18972dd8aebcaea68b5d
- SSDEEP
  
  3072:vaRJmOAfd8KUTvt3lZXHRTjsa096GbtkcHzDjQQwMBF+8n8gGYiw1NOr:vaSBfdR+j1xTQHZbtkcHzvQQwm2YfW
Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Guloader,Cloudeye

Blocklisted process makes network request

Checks QEMU agent file

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2