agenttesla | 8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9 | Triage

Resubmissions

20-05-2023 01:01

230520-bdhlhahd64 10

20-05-2023 00:59

230520-bb6wbahd52 10

17-05-2023 15:12

230517-sld2qafe25 10

16-05-2023 18:13

230516-wt6ngsbb3s 10

16-05-2023 18:11

230516-wsz5babb2w 10

16-05-2023 18:10

230516-wr6wgabb2s 10

16-05-2023 18:03

230516-wm22qabh79 10

Sharing

General

Target

a.bin
Size

5KB
Sample

230517-sld2qafe25
MD5

69525fa93fd47eb3c533afe3b1baba48
SHA1

3dea1b337987177c73c64e89b370d90dc94c64cb
SHA256

8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9
SHA512

909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182
SSDEEP

48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt

Score

10^/10

agenttesla lumma vidar da3b70a6d41764717ff479f0edd50071 evasion keylogger spyware stealer trojan vmprotect

Malware Config

Extracted

Family

vidar

Version

3.9

Botnet

da3b70a6d41764717ff479f0edd50071

C2

https://steamcommunity.com/profiles/76561199263069598

https://t.me/cybehost

Attributes

profile_id_v2
da3b70a6d41764717ff479f0edd50071
user_agent
Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.7 (like Gecko) (Debian)

Targets

- Target
  
  a.bin
- Size
  
  5KB
- MD5
  
  69525fa93fd47eb3c533afe3b1baba48
- SHA1
  
  3dea1b337987177c73c64e89b370d90dc94c64cb
- SHA256
  
  8e9c6b72a19705e65d654814d0770a67c7c4a2e52915f6115dc740ab254ed4a9
- SHA512
  
  909202467de5c96404c154cd3be55643df62c13c395bd6e0406be5834c3a10b953f42cc3520ac5979af754af192260ec737d19892333e5a8dfab79aef9b23182
- SSDEEP
  
  48:6di2oYDjX9iqhf3FXfkQHjJhyPFlWa8tYDdqIYM/cphuOulavTqXSfbNtm:uNiqp3JkQHyDUtE2WcpisvNzNt
Score

10^/10

agenttesla lumma vidar da3b70a6d41764717ff479f0edd50071 evasion keylogger spyware stealer trojan vmprotect
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

Persistence

Hidden Files and Directories

Modify Existing Service

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Impair Defenses

Scripting

Web Service

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

agentteslalummavidarda3b70a6d41764717ff479f0edd50071evasionkeyloggerspywarestealertrojanvmprotect