agenttesla | 0dadaf0eb1832bfa87259ffa7481ab5cfdd40455dd6643858f856afceaf17c14 | Triage

Submit
Reports

Overview

overview

Static

static

1

New items order.vbs

windows7-x64

New items order.vbs

windows10-2004-x64

8

Sharing

General

Target

New items order.vbs
Size

53KB
Sample

230209-cnyadafa5t
MD5

68a4d5e4c541961d428996136e9739aa
SHA1

ac722c0b712636eb7efbd995035dd149311e0ee9
SHA256

0dadaf0eb1832bfa87259ffa7481ab5cfdd40455dd6643858f856afceaf17c14
SHA512

379d322247d03e9826ff4bc0de5a849da314f8631b59f0ccf36949e98999f11b84ad564f84e7497755eb333aa0c82381e844a16f6fc533fcec86ddb710e6d517
SSDEEP

1536:Y7ApYVwpqGY8n/pevDkFwjYkRaSQSAykbhATO4RWKIRJRa:Y7ApYVIsvDkajJUSaxF4Rj2fa

Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

New items order.vbs

Resource

win7-20220812-en

agenttesla guloader collection downloader keylogger spyware stealer trojan

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

New items order.vbs

Resource

win10v2004-20220812-en

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5693068931:AAGSQSNIWDJM1FzeZVNHS020I9wVBrQdkRM/

Targets

- Target
  
  New items order.vbs
- Size
  
  53KB
- MD5
  
  68a4d5e4c541961d428996136e9739aa
- SHA1
  
  ac722c0b712636eb7efbd995035dd149311e0ee9
- SHA256
  
  0dadaf0eb1832bfa87259ffa7481ab5cfdd40455dd6643858f856afceaf17c14
- SHA512
  
  379d322247d03e9826ff4bc0de5a849da314f8631b59f0ccf36949e98999f11b84ad564f84e7497755eb333aa0c82381e844a16f6fc533fcec86ddb710e6d517
- SSDEEP
  
  1536:Y7ApYVwpqGY8n/pevDkFwjYkRaSQSAykbhATO4RWKIRJRa:Y7ApYVIsvDkajJUSaxF4Rj2fa
Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaguloadercollectiondownloaderkeyloggerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy