agenttesla

General

Target

EMIR....vbs
Size

86KB
Sample

230207-v6kq4sch89
MD5

ad30e5a6a05c24a1a258ccad8f18d8a9
SHA1

12cd13a6e5dad30bdf7bf47c95eeecba5125e05e
SHA256

edb31e91fc23362b0b07322e706002485d1d85fcdc7ac4f943b437733989f662
SHA512

c142dda27f7088ef1ab2d8b635f1a304e4e4f1bac02a2421cf5cc18de9dddb2fa877ac2cdd67fed71f0d0f70f5efcc7031b5ef2db3162277678a5a524371c4e5
SSDEEP

1536:IAlmpA5OJSMrPPmPAosoZYydS79ATi/Wxfi0PS6HW1bHpoAPi:fliy23rPPCsoZYydq+Ti+xfi0PS6cbJU

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1I7BjREVCPEdIeSEXuC9L5uCvqhiwCnnO

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.1and1.es
Port:
587
Username:
[email protected]
Password:
[email protected].
Email To:
[email protected]

Targets

- Target
  
  EMIR....vbs
- Size
  
  86KB
- MD5
  
  ad30e5a6a05c24a1a258ccad8f18d8a9
- SHA1
  
  12cd13a6e5dad30bdf7bf47c95eeecba5125e05e
- SHA256
  
  edb31e91fc23362b0b07322e706002485d1d85fcdc7ac4f943b437733989f662
- SHA512
  
  c142dda27f7088ef1ab2d8b635f1a304e4e4f1bac02a2421cf5cc18de9dddb2fa877ac2cdd67fed71f0d0f70f5efcc7031b5ef2db3162277678a5a524371c4e5
- SSDEEP
  
  1536:IAlmpA5OJSMrPPmPAosoZYydS79ATi/Wxfi0PS6HW1bHpoAPi:fliy23rPPCsoZYydq+Ti+xfi0PS6cbJU
Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Guloader,Cloudeye

Blocklisted process makes network request

Checks QEMU agent file

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2