agenttesla

Resubmissions

04-12-2023 23:29

231204-3gsz7agb7z 10

22-11-2023 01:10

231122-bjkcaaac8w 10

13-06-2023 19:34

230613-x94phabc44 10

13-06-2023 17:37

230613-v7hm5shf83 10

Sharing

Copy URL

Twitter E-mail

General

Target

http://51.79.49.73/crc/
Sample

230613-v7hm5shf83

Score

10^/10

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

192.168.175.1:1800

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

windows10-11.ddns.net:1111

windows10-11.ddnsfree.com:1111

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

agenttesla

https://api.telegram.org/bot5954474519:AAEGnfW1mRvGRxq-zIAvwJfpKEbhLLiqVaM/

Extracted

Family

quasar

Version

1.4.0

Botnet

hplus20230325

103.136.199.131:4782

158.247.227.231:4782

Mutex

17eb206f-a56e-4361-a18e-7ca16f3b99cc

Attributes

encryption_key
3E9E141AD83C5BD6CE91880C0E256E15401EC674
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Google Chrome Updater
subdirectory
SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

300

windows10-11.ddnsfree.com:5552

windows10-11.ddns.net:5552

Mutex

QSR_MUTEX_EDK2mTJCIRHYLqOOOz

Attributes

encryption_key
ZTfuIwaAdGJ7DbdAS9Km
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

warzonerat

testing1212.ddns.net:5201

Extracted

Family

remcos

Botnet

Ares

nov231122.con-ip.com:7476

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Windowsecurity.exe
copy_folder
Security Windows
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Remcos-L3UAVE
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
true
take_screenshot_time
5

Extracted

Family

quasar

Version

1.4.0

Botnet

newcrypt

103.136.199.131:4782

158.247.227.231:4782

Mutex

973aa178-3f17-48ed-b33e-52dd11425768

Attributes

encryption_key
3E9E141AD83C5BD6CE91880C0E256E15401EC674
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Google Chrome Updater
subdirectory
SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EdrawMax

forex.4cloud.click:1981

Mutex

wsbTZmpkXyxm8xAsQP

Attributes

encryption_key
iBgx6lbqLn18oNE3C8cN
install_name
Client.exe
log_directory
16k
reconnect_delay
10000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  http://51.79.49.73/crc/
Score

10^/10

agenttesla asyncrat quasar remcos warzonerat 300 ares default edrawmax hplus20230325 newcrypt collection infostealer keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Async RAT payload
  rat
- Warzone RAT payload
  rat
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

AsyncRat

Quasar RAT

Quasar payload

Remcos

WarzoneRat, AveMaria

Async RAT payload

Warzone RAT payload

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Accesses Microsoft Outlook profiles

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

urlscan1

behavioral1