agenttesla | 1ef04afb88292cc59711d31f29175aa4ee66f0fb5431c417ad4f02cf3588d935 | Triage

Submit
Reports

Overview

overview

Static

static

1

PagoFactu.vbs

windows7-x64

PagoFactu.vbs

windows10-2004-x64

Sharing

General

Target

PagoFactu.vbs
Size

124KB
Sample

230208-xb2ggsdf2y
MD5

a911fcb381e94db6603ee3bbed255241
SHA1

e388706d286fca439dae5d0e59c446260e29e47e
SHA256

1ef04afb88292cc59711d31f29175aa4ee66f0fb5431c417ad4f02cf3588d935
SHA512

d7112dd62e70c0cabe505aa834d37be53e46e152ca6c06ec9d4314412262fe528d16e6e0d285b29e4acc1ae10d58798567f4bb88a6c747ca65541e575e43eab8
SSDEEP

3072:FXFq3Cj8LqP/D9+y7jP0WCuH4q07guhoK:lFw/mPL9+yXFHv07N

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

PagoFactu.vbs

Resource

win7-20220812-en

agenttesla guloader collection downloader keylogger spyware stealer trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

PagoFactu.vbs

Resource

win10v2004-20221111-en

agenttesla guloader downloader keylogger spyware stealer trojan

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=1nSKAGzrSWPtToUe3WbRHdqpyZLyve4Tg

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.heladospalacio.com
Port:
587
Username:
[email protected]
Password:
Drs4x0!6
Email To:
[email protected]

Targets

- Target
  
  PagoFactu.vbs
- Size
  
  124KB
- MD5
  
  a911fcb381e94db6603ee3bbed255241
- SHA1
  
  e388706d286fca439dae5d0e59c446260e29e47e
- SHA256
  
  1ef04afb88292cc59711d31f29175aa4ee66f0fb5431c417ad4f02cf3588d935
- SHA512
  
  d7112dd62e70c0cabe505aa834d37be53e46e152ca6c06ec9d4314412262fe528d16e6e0d285b29e4acc1ae10d58798567f4bb88a6c747ca65541e575e43eab8
- SSDEEP
  
  3072:FXFq3Cj8LqP/D9+y7jP0WCuH4q07guhoK:lFw/mPL9+yXFHv07N
Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Web Service

Impact

Tasks

static1

behavioral1

agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

behavioral2

agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy