agenttesla

General

Target

hgj.exe
Size

381KB
Sample

230403-p9jqbseh44
MD5

430ff166ab0342bc7036bc9af090dd82
SHA1

96dc919ed5e15d9a8db55e570658bb88dc38b2c6
SHA256

d656346e915ba499f5d4ddc36e9753891e2335ec7d309e0bc38b91c3875b081f
SHA512

074e97b5cbb5782e5ddb6ccc5166216f44e32960218735d68fb9d2508c9b5b08209289634d8b857722597e765a7633eb923ebfe71c7bae06448ad8c4c0f93169
SSDEEP

6144:eDNA9p+LExdEfqDye3NCT8yGjm04y0O12udoEUAqI:IZLExdAiCgD4wldEHI

Score

10^/10

Malware Config

Extracted

Family

warzonerat

C2

91.192.100.10:11011

Extracted

Credentials

Protocol: smtp
Host:
mail.mondistar.ro
Port:
587
Username:
control@mondistar.ro
Password:
MondiStar@2018!

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.mondistar.ro
Port:
587
Username:
control@mondistar.ro
Password:
MondiStar@2018!
Email To:
sales5dept@yandex.com

Targets

- Target
  
  hgj.exe
- Size
  
  381KB
- MD5
  
  430ff166ab0342bc7036bc9af090dd82
- SHA1
  
  96dc919ed5e15d9a8db55e570658bb88dc38b2c6
- SHA256
  
  d656346e915ba499f5d4ddc36e9753891e2335ec7d309e0bc38b91c3875b081f
- SHA512
  
  074e97b5cbb5782e5ddb6ccc5166216f44e32960218735d68fb9d2508c9b5b08209289634d8b857722597e765a7633eb923ebfe71c7bae06448ad8c4c0f93169
- SSDEEP
  
  6144:eDNA9p+LExdEfqDye3NCT8yGjm04y0O12udoEUAqI:IZLExdAiCgD4wldEHI
Score

10^/10

warzonerat collection infostealer persistence rat agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Downloads MZ/PE file
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

WarzoneRat, AveMaria

Warzone RAT payload

Downloads MZ/PE file

.NET Reactor proctector

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2