agenttesla

General

Target

justificante de transferencia.vbe
Size

86KB
Sample

230207-vppzhaga7w
MD5

15bd082a1239672f89da95a8e64c222c
SHA1

03e403be543416771fbf7aafeed8023257619bdc
SHA256

773560e65eee3974ead74c4f73859a9f094794610469e71566cbed3d04015e2c
SHA512

ad32109ab0c77cbbe0b29d05153463a8b4b408176019be58d428a9d4bb4920a1e3ea097f66e46b7aaff65fee79fac4044e748e025adb3913032faafeeb2a4014
SSDEEP

1536:MApmpA5OR/mZrFWHVzt6XZT6/Wxfi0PS6aW12HpsA4i:7piy+/cgHF4JT6+xfi0PS6H2JCi

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=10wUX24m2KoXCtZbcElr2d3t8TYB8y6dQ

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.heladospalacio.com
Port:
587
Username:
[email protected]
Password:
Drs4x0!6
Email To:
[email protected]

Targets

- Target
  
  justificante de transferencia.vbe
- Size
  
  86KB
- MD5
  
  15bd082a1239672f89da95a8e64c222c
- SHA1
  
  03e403be543416771fbf7aafeed8023257619bdc
- SHA256
  
  773560e65eee3974ead74c4f73859a9f094794610469e71566cbed3d04015e2c
- SHA512
  
  ad32109ab0c77cbbe0b29d05153463a8b4b408176019be58d428a9d4bb4920a1e3ea097f66e46b7aaff65fee79fac4044e748e025adb3913032faafeeb2a4014
- SSDEEP
  
  1536:MApmpA5OR/mZrFWHVzt6XZT6/Wxfi0PS6aW12HpsA4i:7piy+/cgHF4JT6+xfi0PS6H2JCi
Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Guloader,Cloudeye

Blocklisted process makes network request

Checks QEMU agent file

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2