agenttesla

Sharing

General

Target

a.bin
Size

5KB
Sample

230529-mhkgfabg8w
MD5

ebdedb0d0018bb3097015535ab716b12
SHA1

208793bf40fecbdc245bf9752d90ec4f3ee1aaf3
SHA256

7eacbc3d02ee34b4f840f20bf8afe38894f3545d403abb105334f176ed515a44
SHA512

98fe11b5073fda169724316d2a54576abe328dde82cb938e8009512d6a46d30e661f06cd051b4ceb2389ea8176f2da82f678bada2d27ceddaf741947060b9d5b
SSDEEP

96:HRYoIuz1zuz1huz1JxrPTi0ak69iDgtwZ+Qp6svNzNt:HuoI0z0h0Jxrri0akxawZ+UFn

Score

10^/10

Malware Config

Extracted

Family

xworm

10.0.2.15:5555

Mutex

TNZstVyCMYPlDDeU

Attributes

install_file
ms-update.exe

aes.plain

Extracted

Family

redline

Botnet

dix

77.91.124.251:19065

Attributes

auth_value
9b544b3d9c88af32e2f5bf8705f9a2fb

Extracted

Family

redline

Botnet

diza

185.161.248.37:4138

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

Redline

85.31.54.183:18435

Attributes

auth_value
50837656cba6e4dd56bfbb4a61dadb63

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.lubdub.com
Port:
587
Username:
operations@lubdub.com
Password:
J-y!2e_fWMH_XP8F_008
Email To:
godwingodwin397@gmail.com

Targets

- Target
  
  a.bin
- Size
  
  5KB
- MD5
  
  ebdedb0d0018bb3097015535ab716b12
- SHA1
  
  208793bf40fecbdc245bf9752d90ec4f3ee1aaf3
- SHA256
  
  7eacbc3d02ee34b4f840f20bf8afe38894f3545d403abb105334f176ed515a44
- SHA512
  
  98fe11b5073fda169724316d2a54576abe328dde82cb938e8009512d6a46d30e661f06cd051b4ceb2389ea8176f2da82f678bada2d27ceddaf741947060b9d5b
- SSDEEP
  
  96:HRYoIuz1zuz1huz1JxrPTi0ak69iDgtwZ+Qp6svNzNt:HuoI0z0h0Jxrri0akxawZ+UFn
Score

10^/10

agenttesla redline smokeloader xworm dix diza redline up3 backdoor discovery evasion infostealer keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- UAC bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1