agenttesla

General

Target

JUSTIFICANTE DE PAGO30032023pdf.exe
Size

766KB
Sample

230403-gr1xwsdb34
MD5

08422117b96b96d5164ef061bf874307
SHA1

3ff48d4a298db79468ab8716a9814f2fe703e031
SHA256

46903e776f2014fcd877ba071d2707c749ddae140e7682f5cc00c894914f3303
SHA512

22bdb0737d070e0783cdb2d311d827215b750d16ce29345266812ba61d2d9067c0bbe865df34dab37e9af56c96fba63547f7bf05cd1b7c1c8af10d4233102fc4
SSDEEP

12288:/ghti/pIS61qK7fXHUoTQDsqRaKbygMG9IFqnWAQsZufEIx5tx715v1:4O2A0fXHUSkdRPy1GRWAQRMIxTR13

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
opticaarense.com
Port:
587
Username:
[email protected]
Password:
vGU5B*g^8Med
Email To:
[email protected]

Targets

- Target
  
  JUSTIFICANTE DE PAGO30032023pdf.exe
- Size
  
  766KB
- MD5
  
  08422117b96b96d5164ef061bf874307
- SHA1
  
  3ff48d4a298db79468ab8716a9814f2fe703e031
- SHA256
  
  46903e776f2014fcd877ba071d2707c749ddae140e7682f5cc00c894914f3303
- SHA512
  
  22bdb0737d070e0783cdb2d311d827215b750d16ce29345266812ba61d2d9067c0bbe865df34dab37e9af56c96fba63547f7bf05cd1b7c1c8af10d4233102fc4
- SSDEEP
  
  12288:/ghti/pIS61qK7fXHUoTQDsqRaKbygMG9IFqnWAQsZufEIx5tx715v1:4O2A0fXHUSkdRPy1GRWAQRMIxTR13
Score

10^/10

agenttesla guloader collection downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Checks QEMU agent file

Loads dropped DLL

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2