agenttesla

General

Target

9034968482.zip
Size

33.9MB
Sample

230207-aw5y3sgf64
MD5

16786b161678e97ba48846301cc96715
SHA1

11e846d9af65b7b759f0cac5573d82fc7b7815dd
SHA256

f78bda643bc02054908c347ed64d7244d6da34cd8798aadf6e01313c8803c5bb
SHA512

3dd9b18a6770c92ad3b7ae708b0d79299e52f05e267771f7da40717ac3690296c3a02cf221664fbe8358ec009366c15535aa4501226c86f2f4865eb58d6c8b6d
SSDEEP

786432:7swY14sR6TbXI/FTLPGbUgtFjSDIU0B826Fzf0Xa7D7v4O9i:7sF6sETcSUgTjlU02kkA

Score

10^/10

Malware Config

Extracted

Family

purecrypter

C2

http://justnormalsite.ddns.net/SystemEnv/uploads/nodeffender_Veiwqhsq.jpg

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.mgcpakistan.com/
Port:
21
Username:
[email protected]
Password:
boygirl123456

Targets

- Target
  
  5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d
- Size
  
  350.1MB
- MD5
  
  0180decb30ec5d3934893c90995b2aca
- SHA1
  
  181cf9bd4aaa5e0fc3e329f72a32e5fdb5af2e67
- SHA256
  
  5d649c5aa230376f1a08074aee91129b8031606856e9b4b6c6d0387f35f6629d
- SHA512
  
  2edada0d787ca09745a74c4ff9a1c4c6346b72ea544d3d2fab5f5909b190e19f1fd0494bc7c3d5bb972d1c9199a49267d21eac57c5413d65a333a4ea0067e58a
- SSDEEP
  
  1536:z+p+iPNAL0z81YHKDgnkt9tMDyC+9BDYz39A:zOvFRCgkIDyt9BDk39A
Score

10^/10

purecrypter downloader loader
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
behavioral1 behavioral2
- Target
  
  a7c006a79a6ded6b1cb39a71183123dcaaaa21ea2684a8f199f27e16fcb30e8e
- Size
  
  323.8MB
- MD5
  
  6315802a5c2570a5dc6460eaccc678a4
- SHA1
  
  3805588acfce5c1b0eeb5bd2e16a912208a77549
- SHA256
  
  f7a0c0519fc45fc498b46399982886633c79ba4c72d07fc9836cb5be2fb4685d
- SHA512
  
  05f379390a4ce1bab9799ae19f6d8cba862bb37eca8a6c98fae790342eb8ad626d79c63ad0c5c2e038f8368df7bc8a6fc1315b25c543651f2266bcfffe8a3cdd
- SSDEEP
  
  96:WAwa5N9p+ZNLDApFY1jAdhkxgqEQGnQUzNtd:WAwa5grL+OEyxgfFn/r
Score

3^/10
behavioral3 behavioral4
- Target
  
  c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331
- Size
  
  350.1MB
- MD5
  
  e6ee01eefc03e56e385cb620990516d8
- SHA1
  
  f64b4f867b05ed4ac03bfa4c61cad6cd7f51a248
- SHA256
  
  c846e7bbbc1f65452bdca87523edf0fd1a58cbd9a45e622e29d480d8d80ac331
- SHA512
  
  89006d7f81e8abe98d5bc309c5dade672410cb39c9c58ab83c8cbcb0952e9f4415a920080efd67d3733c424e19a74b15839d3e1be7d5d1604cfd70caed406909
- SSDEEP
  
  384:CoRiEv8uudnJ0fXHEkKLgvnnmLkgDd8yxNxDs7vOcPPhI+9wwwwwww7777jYYYz7:CaiKyoftWgvmIUdfT3cVl
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

PureCrypter

AgentTesla payload

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6