agenttesla

Resubmissions

17-09-2023 21:42

230917-1kqywsfc99 10

09-09-2023 02:55

06-09-2023 17:13

13-08-2023 17:31

27-06-2023 12:47

13-06-2023 16:07

Sharing

Copy URL

Twitter E-mail

General

Target

a.zip
Size

832B
Sample

230613-tklwlsgh96
MD5

10e578867faad166dc6a8f3868cef2f4
SHA1

f541fab60d482834e90638c5aebdefe3d997174e
SHA256

6fe03f61ee89f37688356f14ee8dc2d0c001e0d43281fad29386270a9c71c92c
SHA512

38389b61e71eed9a9587900f60d59c145d070d0e02602f473c284befcd4898b1191f1982e71463c9cbe17ea36f4ec6c17d665f072e730981eae00fd805863114

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Ares

nov231122.con-ip.com:7476

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Windowsecurity.exe
copy_folder
Security Windows
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Remcos-L3UAVE
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
true
take_screenshot_time
5

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

192.168.175.1:1800

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

newcrypt

103.136.199.131:4782

158.247.227.231:4782

Mutex

973aa178-3f17-48ed-b33e-52dd11425768

Attributes

encryption_key
3E9E141AD83C5BD6CE91880C0E256E15401EC674
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Google Chrome Updater
subdirectory
SubDir

Extracted

Family

remcos

Version

4.6.0 Light

Botnet

RemoteHost

127.0.0.1:1800

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-C9JE9X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

Layouts

datbuggy.servepics.com:58003

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7OBYTV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

agenttesla

https://api.telegram.org/bot5954474519:AAEGnfW1mRvGRxq-zIAvwJfpKEbhLLiqVaM/

Extracted

Family

quasar

Version

1.4.0

Botnet

hplus20230325

103.136.199.131:4782

158.247.227.231:4782

Mutex

17eb206f-a56e-4361-a18e-7ca16f3b99cc

Attributes

encryption_key
3E9E141AD83C5BD6CE91880C0E256E15401EC674
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Google Chrome Updater
subdirectory
SubDir

Targets

- Target
  
  a.zip
- Size
  
  832B
- MD5
  
  10e578867faad166dc6a8f3868cef2f4
- SHA1
  
  f541fab60d482834e90638c5aebdefe3d997174e
- SHA256
  
  6fe03f61ee89f37688356f14ee8dc2d0c001e0d43281fad29386270a9c71c92c
- SHA512
  
  38389b61e71eed9a9587900f60d59c145d070d0e02602f473c284befcd4898b1191f1982e71463c9cbe17ea36f4ec6c17d665f072e730981eae00fd805863114
Score

10^/10

agenttesla asyncrat quasar remcos ares default hplus20230325 layouts newcrypt remotehost keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Async RAT payload
  rat
- Downloads MZ/PE file
- Executes dropped EXE
- Uses the VBS compiler for execution
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

Score

1^/10

behavioral1

agentteslaasyncratquasarremcosaresdefaulthplus20230325layoutsnewcryptremotehostkeyloggerratspywarestealertrojan

Score

10^/10

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

AsyncRat

Quasar RAT

Quasar payload

Remcos

Async RAT payload

Downloads MZ/PE file

Executes dropped EXE

Uses the VBS compiler for execution

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1