agenttesla | 00318a2530828681e8a6741ca987833a4bfaae7d622fcb60295d38170e624bf1 | Triage

Submit
Reports

Overview

overview

Static

static

1

20230208100.vbs

windows7-x64

20230208100.vbs

windows10-2004-x64

Sharing

General

Target

20230208100.cab
Size

69KB
Sample

230208-pzzc2aag77
MD5

4532eb0262ffbefc43e63f2ea7b8c114
SHA1

41a4995eb49e232f59e822c40036d947e8ec9b38
SHA256

00318a2530828681e8a6741ca987833a4bfaae7d622fcb60295d38170e624bf1
SHA512

d5dc529dddbaec6f0448160e97a3e28baae6289dec2d3dffc91874d9dd73edf819fd97482222c595fc3e9d4034821c3954977a0e31490737ddb7c08f464a7d97
SSDEEP

1536:w0vFitxdSJoDgdmyD3PDLqkSR0Hpjsrk/RdcxVPn3L:w9UiD0D3PPHSR0wk/RuxZ3L

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

20230208100.vbs

Resource

win7-20220812-en

agenttesla guloader downloader keylogger spyware stealer trojan

windows7-x64

14 signatures

150 seconds

Behavioral task

behavioral2

Sample

20230208100.vbs

Resource

win10v2004-20220812-en

agenttesla guloader downloader keylogger spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://megookbpnq.cf/Uninter.thn

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.valvulasthermovalve.cl/
Port:
21
Username:
[email protected]
Password:
LILKOOLL14!!

Targets

- Target
  
  20230208100.vbs
- Size
  
  131KB
- MD5
  
  41dc8a33e0ad3c7e1dc6a7e82ceef9f3
- SHA1
  
  ef04a98fbb86bd0184849d8af88eb34ebdef877b
- SHA256
  
  25c62da172ade20b30e71185ff9ae1cb19713dbc8a86c306167e7e046912c3b6
- SHA512
  
  400e6067d3b24763396250ddc5dcc41cfcf7093ad4f498e8a8427c97dd2464cf05041bcd48c8d69daf741413601b9affd958d45c6c479fa882b1d2cfb8824fa0
- SSDEEP
  
  3072:v/rJmOzfVKUTvt3cXHRTj8ae2ZgnUVUo4WJrs0uoOpXdOQYtjQQwMBF+8n8RGYiw:v/gcfs+qxToS6U6+0pdaQQwm5Yf/
Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

behavioral2

agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy