agenttesla

General

Target

Rechnung_pdf.vbs
Size

421KB
Sample

230209-nxwcxsag5x
MD5

4bb86c670f6d70dcfbd583b935198df4
SHA1

5de86ff42c9ea4e7c0e178f5fb93a091733d353b
SHA256

58b1f8aacbc830fd6cd4288bc82bc6116813f26d9da18dd44afbf1238baa44c9
SHA512

f9a8c84577a386d1ed6dd6ccadbc44431e98225f24c3bf521e48e58c5acea010eaf2b35737aeb0d92e50d1deeebce2d9b40ddc2959c7667efc2f41d24b495ea3
SSDEEP

6144:9LmBIe9NXiN3+fad3vpL1QhZK2kbYY4vJqNCayKbjAteqlVavO10cok6xG15UtG6:9Et9Nywq3vRQiV4viCayLJ7aGUk31WT5

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.mcmprint.net
Port:
21
Username:
[email protected]
Password:
l9Hh{#_(0shZ

Targets

- Target
  
  Rechnung_pdf.vbs
- Size
  
  421KB
- MD5
  
  4bb86c670f6d70dcfbd583b935198df4
- SHA1
  
  5de86ff42c9ea4e7c0e178f5fb93a091733d353b
- SHA256
  
  58b1f8aacbc830fd6cd4288bc82bc6116813f26d9da18dd44afbf1238baa44c9
- SHA512
  
  f9a8c84577a386d1ed6dd6ccadbc44431e98225f24c3bf521e48e58c5acea010eaf2b35737aeb0d92e50d1deeebce2d9b40ddc2959c7667efc2f41d24b495ea3
- SSDEEP
  
  6144:9LmBIe9NXiN3+fad3vpL1QhZK2kbYY4vJqNCayKbjAteqlVavO10cok6xG15UtG6:9Et9Nywq3vRQiV4viCayLJ7aGUk31WT5
Score

10^/10

guloader downloader agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Blocklisted process makes network request

Checks QEMU agent file

Checks computer location settings

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2