agenttesla | 88caf41122ae930ca97f30367279b2065148a9319224e34c132eab0cfad2561b | Triage

Sharing

General

Target

Sipariş.28.vbs
Size

125KB
Sample

230208-xb2ggsdf21
MD5

90f6cad58fa39455b2bd712eb9a9e5d4
SHA1

72e110e777392aa23aba252deedbae00ce93d01a
SHA256

88caf41122ae930ca97f30367279b2065148a9319224e34c132eab0cfad2561b
SHA512

1cdb50e920c078ed39000b63cf70e0351795d5e7704b29c1905d0678dae5e721bfbf26b57ecf667990ab55c7076add780fffe2478b44bb5ddfb2f3f2d6b1f33a
SSDEEP

1536:FFHXmJmnq3Cj74LIHCWF0KcBFuw4AZfsz/1U/727jPysWIJuHhgz26qZgFfga7oj:FYYq3Cj8LqE9ly7jPTWCuHiq0fga7oj

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1-WQl_IuA-mYLU2KIuYz-IB-5GgJqjQQP

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.1and1.es
Port:
587
Username:
[email protected]
Password:
Adara2020*
Email To:
[email protected]

Targets

- Target
  
  Sipariş.28.vbs
- Size
  
  125KB
- MD5
  
  90f6cad58fa39455b2bd712eb9a9e5d4
- SHA1
  
  72e110e777392aa23aba252deedbae00ce93d01a
- SHA256
  
  88caf41122ae930ca97f30367279b2065148a9319224e34c132eab0cfad2561b
- SHA512
  
  1cdb50e920c078ed39000b63cf70e0351795d5e7704b29c1905d0678dae5e721bfbf26b57ecf667990ab55c7076add780fffe2478b44bb5ddfb2f3f2d6b1f33a
- SSDEEP
  
  1536:FFHXmJmnq3Cj74LIHCWF0KcBFuw4AZfsz/1U/727jPysWIJuHhgz26qZgFfga7oj:FYYq3Cj8LqE9ly7jPTWCuHiq0fga7oj
Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

behavioral2

agentteslaguloaderdownloaderkeyloggerspywarestealertrojan