agenttesla

General

Target

Invoice copy.gz
Size

27KB
Sample

230213-l3yn5abh3x
MD5

e3fbbd358ba94c81d8a98bf0094e0b5f
SHA1

f01141d49bc22de7b53c2f102d8258eba92b7bf0
SHA256

1fdf68f0dfeebac092002cb137bd0712530486d57ee2a919bc690bc65a70430c
SHA512

b636fd7e342aacf35097ee2d2fa2608e201e590c93492eeb1217b4fd712226030ac41adfd46c979ced886075df0c99865ebab0e625653a9e9095da2ac23f49d8
SSDEEP

768:lRvNEiubRe0pVh+2XsAOwYLknXufwpYlZwEk:rvrubRekk28AOpLQX8wqlZA

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://megookbpnq.cf/jernha.dsp

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5350270151:AAHiqzi7CQnEGEk3Xi-PyJX8ov0x6B-8S1I/

Targets

- Target
  
  Invoice copy.vbs
- Size
  
  51KB
- MD5
  
  f3a9804fd02a79f03baa34c927567847
- SHA1
  
  61ddc401e537e878b3a0f67c7877ae4c953fafcb
- SHA256
  
  a2d2cada1b167fcf06ac9a85fb47a71738187152544484b5d280a523adb93d1c
- SHA512
  
  4909feda912a9e9a0349eeef3f711623c2bb536f23d2ca4d28a15c3d21326f036b8077c19de34ab92c509d3fccea53930f4425747590233b947f217f9a0d6f5c
- SSDEEP
  
  768:P5MV9DybrUJAhATljcJBgYspgasqSQmepk1+R5SK:P4GhhA5jqI+aWQdT
Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Guloader,Cloudeye

Blocklisted process makes network request

Checks QEMU agent file

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2