agenttesla | caba108ecd1e8601819b9863c8f790b8f93f00d607e0d5a2089bb8148905128f | Triage

Sharing

General

Target

StubBuilder.rar
Size

9.8MB
Sample

230820-wgbmksad5s
MD5

ecaf886156ca26b4c09503d65b3adb08
SHA1

8fcdaba4c79e3d74ea9774062fd2f3815bc827bd
SHA256

caba108ecd1e8601819b9863c8f790b8f93f00d607e0d5a2089bb8148905128f
SHA512

22929d4f0ddf992cf2c7471f80e0c4dc71f6175898318d494538c27713a8a11fec680186574f6c1cffba01042a096aac659f140375565825fdcf15b23f49a962
SSDEEP

196608:Ta/QbujucsqRVaPGo9onqOM5dJ7giry3Z6KbDzGrdIMZILmhN0U58:N8ucsqRe2qOG7Zrba6zZUSny

Score

10^/10

agenttesla keylogger pyinstaller spyware stealer trojan

Malware Config

Targets

- Target
  
  StubBuilder/Guna.UI2.dll
- Size
  
  2.2MB
- MD5
  
  934c47fe3a9a700c9bd7256918ea2a55
- SHA1
  
  5b4ab5482adbe76e4ad27c4a3d6f1e24e2d1082e
- SHA256
  
  93875f9056684dad7f345ad63a9d9fbad8fe3c83ae9bd82f618a1e1cb5f1e8a6
- SHA512
  
  9186860bcba7dabc22812c42c4ac941930a561cba3e2dd54b6234dd068786f690302241e42a747d2cf102b1fcd325126c3b6f9174cb21702c6951847ac318ec1
- SSDEEP
  
  24576:7YiAs/rXPAYkqjW7CedtntpzuVHt7hyFpASvvD9oA3cPPEMvDbEU+rHQ/jza:7Yk/rtujLYVN701mA3v
Score

1^/10
behavioral1
- Target
  
  StubBuilder/StubBuilder.exe
- Size
  
  44KB
- MD5
  
  b3dd3992c85fd1cfc877a236b97d3a3a
- SHA1
  
  e3f52a75340f82c4e8f9ac47cb2209ae8f76a84a
- SHA256
  
  fde4fdd98d9e67bd412738f5b41e79d15c3e1f4bc861662c669e6f30569a2962
- SHA512
  
  e172e9cb3480e5b9fff939b69f7c26953ee6e39dc77c552f3a9638b9d462dc98a1a0872c3c888d52bb09d24c247b4285bacde7b331d0cf6805e8253e64b9361e
- SSDEEP
  
  768:s+s3XohtlvF5dF7VM9qBhAmmC1+yr66fIVbcjw:zsHohv7VMUBQByWCw
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral2
- Target
  
  StubBuilder/StubBuilderHelper.exe
- Size
  
  9.2MB
- MD5
  
  1a1e9ea16aeec7ece068d0324d40da00
- SHA1
  
  9e33dae3fdc90ad356de23000566a97284c43b72
- SHA256
  
  42d82da1f1cce098fa96a1b97c83e0044530b10d76b1543587bee724ec62923c
- SHA512
  
  d71932b4d669f056f1b7eae4140115871ec11515f056e4b48eecafa7c41f8df756cd3e056f963ddb15e6d0fe189915135291630e3d734d90a942a900e594fd84
- SSDEEP
  
  196608:/cdzUjpRRofdQmR5dA6lsuErSEEJwzeiOF6OVsmYPuksBq:8oVRRqdQ2ls+9JqelOmz
Score

7^/10

spyware stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstalleragenttesla

behavioral1

behavioral2

agentteslakeyloggerspywarestealertrojan

behavioral3