agenttesla

General

Target

oferta urgente GARMON ENERGIAS, S.L. 02.09.2023.vbs
Size

417KB
Sample

230209-pmcnhacb26
MD5

7d8a0e790aa510d782dc26e392e059b5
SHA1

51cff6c25901887b9285db2a14bba6afecc1736b
SHA256

46cb28ba99ec877feb3fae26e33f934420fe8cc061d3dc06bfa660c25529f659
SHA512

794d31545335a5c52e3ed27f26113bf6cb4eb85e67cd67a2f597d3d837614ba54a39c191153ebd6976ca98bce0cbdd1726adfcd93870a5fa3dab2dac6d1d4c06
SSDEEP

12288:Yaui1A78oYQaHzgcOk+dUzUwoPOP61WfR:ciqk7rgwoPM6AfR

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.ectrowconstrutora.com.br
Port:
21
Username:
[email protected]
Password:
@ectrowconstrutora.com.br

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.ectrowconstrutora.com.br
Port:
21
Username:
[email protected]
Password:
@ectrowconstrutora.com.br

Targets

- Target
  
  oferta urgente GARMON ENERGIAS, S.L. 02.09.2023.vbs
- Size
  
  417KB
- MD5
  
  7d8a0e790aa510d782dc26e392e059b5
- SHA1
  
  51cff6c25901887b9285db2a14bba6afecc1736b
- SHA256
  
  46cb28ba99ec877feb3fae26e33f934420fe8cc061d3dc06bfa660c25529f659
- SHA512
  
  794d31545335a5c52e3ed27f26113bf6cb4eb85e67cd67a2f597d3d837614ba54a39c191153ebd6976ca98bce0cbdd1726adfcd93870a5fa3dab2dac6d1d4c06
- SSDEEP
  
  12288:Yaui1A78oYQaHzgcOk+dUzUwoPOP61WfR:ciqk7rgwoPM6AfR
Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Guloader,Cloudeye

Blocklisted process makes network request

Checks QEMU agent file

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2