agenttesla

General

Target

HSBC payment receipt confirmation.exe
Size

302KB
Sample

230403-pnxp3agc2x
MD5

ec5df44a36001e9f2200fd7fff14924f
SHA1

8d2022e732d1e5f6ac485b5109126bb36bc84e23
SHA256

caf7cfc2d3a76c442c36aa41e192ade5c4da13e51000b8f2746cc0ced8f4e0a1
SHA512

5787b6b2ce2f3e36d4f37100bb01af1236d386c96c9ecb5e457210db9d4fd16369c1b2248552bf919d1b8cbc0e607e64485d13566769e001bfdeb7b164dd05d6
SSDEEP

6144:+OGfqDye3NCT8yGjm04y0O12udoEUAybGMVxI:+OmiCgD4wldEKMVxI

Score

10^/10

Malware Config

Extracted

Family

warzonerat

C2

91.192.100.10:11011

Extracted

Credentials

Protocol: smtp
Host:
mail.mondistar.ro
Port:
587
Username:
[email protected]
Password:
MondiStar@2018!

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.mondistar.ro
Port:
587
Username:
[email protected]
Password:
MondiStar@2018!
Email To:
[email protected]

Targets

- Target
  
  HSBC payment receipt confirmation.exe
- Size
  
  302KB
- MD5
  
  ec5df44a36001e9f2200fd7fff14924f
- SHA1
  
  8d2022e732d1e5f6ac485b5109126bb36bc84e23
- SHA256
  
  caf7cfc2d3a76c442c36aa41e192ade5c4da13e51000b8f2746cc0ced8f4e0a1
- SHA512
  
  5787b6b2ce2f3e36d4f37100bb01af1236d386c96c9ecb5e457210db9d4fd16369c1b2248552bf919d1b8cbc0e607e64485d13566769e001bfdeb7b164dd05d6
- SSDEEP
  
  6144:+OGfqDye3NCT8yGjm04y0O12udoEUAybGMVxI:+OmiCgD4wldEKMVxI
Score

10^/10

warzonerat collection infostealer persistence rat agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

WarzoneRat, AveMaria

Warzone RAT payload

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2