agenttesla | 2023-08-28-19[.]zip

Resubmissions

28/08/2023, 22:24

230828-2bgjjabd8v 10

28/08/2023, 20:43

230828-zhwwpaah5z 10

Sharing

Copy URL Twitter E-mail

General

Target

2023-08-28-19.zip
Size

21.5MB
MD5

c7baa049d83fa0606542701de5d3b576
SHA1

83d5f76419e71c43a529adc058e9a676b591fb73
SHA256

2cabe32830731b8df20d552a3f49b42db206f27deb35b2f042f9c4fb08a7a49e
SHA512

a8b179c8b6f1fc474f78735c317f1d09f7d4b2397f5308a55135149454495ee96b6b876f57fb47d52f9c59b25f17aac1b2958a47cdfbc10ef31b4b7d903e0c82
SSDEEP

393216:ZkHUtD6fo/OZa/Afh/5uLNGcK8c5HAmuoEDlqBttSa/Ms3vMeaalg/oWzzZcP:K0tDrYLl5ovFc5H1qq5J/MsUMShzaP

Score

10^/10

upx agenttesla

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
kbiotech.co
Port:
587
Username:
[email protected]
Password:
Bukky101@
Email To:
[email protected]

Signatures

Agenttesla family
agenttesla

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
static1/unpack001/355b47f2a6bf1b128605461925d0e707406eadc9dd1d2efdd0bebfdecea9a220.elf	upx
static1/unpack001/3ed703cc409092bacdf34cc1d8a12bb422f552106e8152ce9020f4efa7cc02fb.elf	upx
static1/unpack001/6737c3a0b6e8adc26eb486590385fa0261d5d73a1ef60681c330d1605c30ae75.elf	upx

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/9050f1b2fe9de1303a608ad5329db45d101ff616009add295d67e162ab4d8dfc.exe
unpack001/b3d24b07e0511eebf55c52c8d7d6f5a1b5d8ed9bbc063864d10e3bf99ed43279.exe
unpack001/f291b68a9b9889a01d736cb0079c8be1e3f576d19ba1f4762cf2302984455bd2.exe

Files

2023-08-28-19.zip
.zip

Password: infected
094623f35c1f35f30ee82879d037741c5772de0cf72e2254afd23342d3ae41f6.macho
.macho macos
355b47f2a6bf1b128605461925d0e707406eadc9dd1d2efdd0bebfdecea9a220.elf
.elf linux arm
3ed703cc409092bacdf34cc1d8a12bb422f552106e8152ce9020f4efa7cc02fb.elf
.elf linux x86
6737c3a0b6e8adc26eb486590385fa0261d5d73a1ef60681c330d1605c30ae75.elf
.elf linux arm
7675c8630359aa83692821a309ba1ac8837975ced6e254b0da1d15e7b200ab13.exe
.exe windows x86

Password: infected

e88a529caf2666acedc4a4b0f2baa386

Code Sign

a4:23:c0:04:a9:c7:70:15:42:30:e5:d2:71:be:06:54
Certificate

Issuer

CN=SecureTrust CA,O=SecureTrust Corporation,C=US

Not Before

01/09/2016, 14:35

Not After

29/09/2024, 14:35

Subject

CN=Trustwave Code Signing SHA256 CA\, Level 1,O=Trustwave Holdings\, Inc.,L=Chicago,ST=Illinois,C=US,1.2.840.113549.1.9.1=#0c106361407472757374776176652e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:16:9b:8d:9c:b0:85:e5:27:53:79:2f:f9:f6:c5:6a:44:3a:10
Certificate

Issuer

CN=Trustwave Code Signing SHA256 CA\, Level 1,O=Trustwave Holdings\, Inc.,L=Chicago,ST=Illinois,C=US,1.2.840.113549.1.9.1=#0c106361407472757374776176652e636f6d

Not Before

03/02/2020, 10:09

Not After

02/02/2023, 16:09

Subject

CN=TLauncher Inc.,O=TLauncher Inc.,L=Victoria,ST=Mahe,C=SC

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

07:71:c2:62:80:b4:da:77:02:03:13:ab:bc:fa:a3:ff:ed:8b:2a
Certificate

Issuer

CN=Viking Cloud TWG Timestamping CA\, Level 1,O=Viking Cloud\, Inc.,C=US

Not Before

10/08/2022, 10:55

Not After

06/11/2033, 16:55

Subject

CN=Viking Cloud TWG Timestamping Responder 2022,O=Viking Cloud\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:71:c1:bc:fc:08:5f:97:f1:8c:6a:6a:23:c8:d3:7f:08:7d:f9
Certificate

Issuer

CN=Trustwave Global Certification Authority,O=Trustwave Holdings\, Inc.,L=Chicago,ST=Illinois,C=US

Not Before

10/08/2022, 10:18

Not After

10/08/2037, 10:18

Subject

CN=Viking Cloud TWG Timestamping CA\, Level 1,O=Viking Cloud\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a4:23:c0:04:a9:c7:70:15:42:30:e5:d2:71:be:06:54
Certificate

Issuer

CN=SecureTrust CA,O=SecureTrust Corporation,C=US

Not Before

01/09/2016, 14:35

Not After

29/09/2024, 14:35

Subject

CN=Trustwave Code Signing SHA256 CA\, Level 1,O=Trustwave Holdings\, Inc.,L=Chicago,ST=Illinois,C=US,1.2.840.113549.1.9.1=#0c106361407472757374776176652e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

07:16:9b:8d:9c:b0:85:e5:27:53:79:2f:f9:f6:c5:6a:44:3a:10
Certificate

Issuer

CN=Trustwave Code Signing SHA256 CA\, Level 1,O=Trustwave Holdings\, Inc.,L=Chicago,ST=Illinois,C=US,1.2.840.113549.1.9.1=#0c106361407472757374776176652e636f6d

Not Before

03/02/2020, 10:09

Not After

02/02/2023, 16:09

Subject

CN=TLauncher Inc.,O=TLauncher Inc.,L=Victoria,ST=Mahe,C=SC

Extended Key Usages

ExtKeyUsageCodeSigning

Key Usages

KeyUsageDigitalSignature

07:71:c2:62:80:b4:da:77:02:03:13:ab:bc:fa:a3:ff:ed:8b:2a
Certificate

Issuer

CN=Viking Cloud TWG Timestamping CA\, Level 1,O=Viking Cloud\, Inc.,C=US

Not Before

10/08/2022, 10:55

Not After

06/11/2033, 16:55

Subject

CN=Viking Cloud TWG Timestamping Responder 2022,O=Viking Cloud\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature

07:71:c1:bc:fc:08:5f:97:f1:8c:6a:6a:23:c8:d3:7f:08:7d:f9
Certificate

Issuer

CN=Trustwave Global Certification Authority,O=Trustwave Holdings\, Inc.,L=Chicago,ST=Illinois,C=US

Not Before

10/08/2022, 10:18

Not After

10/08/2037, 10:18

Subject

CN=Viking Cloud TWG Timestamping CA\, Level 1,O=Viking Cloud\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

a1:4f:98:af:e5:8b:0c:0f:fb:33:fd:9d:1d:bc:b3:87:cc:7d:99:84:56:80:44:f9:e3:7c:02:84:93:09:3b:03
Signer

Actual PE Digest

a1:4f:98:af:e5:8b:0c:0f:fb:33:fd:9d:1d:bc:b3:87:cc:7d:99:84:56:80:44:f9:e3:7c:02:84:93:09:3b:03

Digest Algorithm

sha256

PE Digest Matches

false

d7:88:00:b1:81:23:e5:2b:63:5a:cb:6b:83:e2:c4:98:7e:84:2d:03
Signer

Actual PE Digest

d7:88:00:b1:81:23:e5:2b:63:5a:cb:6b:83:e2:c4:98:7e:84:2d:03

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

EncodePointer
DecodePointer
EnterCriticalSection
LeaveCriticalSection
InitializeCriticalSectionEx
DeleteCriticalSection
MultiByteToWideChar
WideCharToMultiByte
LCMapStringEx
GetStringTypeW
GetCPInfo
IsProcessorFeaturePresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetCurrentProcess
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
CreateFileW
RaiseException
RtlUnwind
GetLastError
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
GetProcAddress
LoadLibraryExW
GetStdHandle
WriteFile
GetModuleFileNameW
ExitProcess
GetModuleHandleExW
GetCommandLineA
GetCommandLineW
HeapFree
HeapAlloc
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
GetFileType
CloseHandle
FlushFileBuffers
GetConsoleOutputCP
GetConsoleMode
ReadFile
GetFileSizeEx
SetFilePointerEx
ReadConsoleW
HeapReAlloc
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetProcessHeap
HeapSize
WriteConsoleW

Sections

.text
Size: 110KB - Virtual size: 109KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 50KB - Virtual size: 50KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Nomm
Size: 1.1MB - Virtual size: 1.1MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Home
Size: 512B - Virtual size: 4B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 6KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
9050f1b2fe9de1303a608ad5329db45d101ff616009add295d67e162ab4d8dfc.exe
.exe windows x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 103KB - Virtual size: 102KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
b3d24b07e0511eebf55c52c8d7d6f5a1b5d8ed9bbc063864d10e3bf99ed43279.exe
.exe windows x86

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 243KB - Virtual size: 243KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
f291b68a9b9889a01d736cb0079c8be1e3f576d19ba1f4762cf2302984455bd2.exe
.exe windows x64

Password: infected

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Size: 588KB - Virtual size: 1.4MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Size: 163KB - Virtual size: 520KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 1KB - Virtual size: 10KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Size: 35KB - Virtual size: 64KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 512B - Virtual size: 488B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

.idata
Size: 2KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 4KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 512B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

daw
Size: - Virtual size: 34.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.boot
Size: 19.9MB - Virtual size: 19.9MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.reloc
Size: 16B - Virtual size: 4KB

IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Extracted

Signatures

Files

Password: infected

Password: infected

e88a529caf2666acedc4a4b0f2baa386

Code Sign

a4:23:c0:04:a9:c7:70:15:42:30:e5:d2:71:be:06:54Certificate

Extended Key Usages

Key Usages

07:16:9b:8d:9c:b0:85:e5:27:53:79:2f:f9:f6:c5:6a:44:3a:10Certificate

Extended Key Usages

Key Usages

07:71:c2:62:80:b4:da:77:02:03:13:ab:bc:fa:a3:ff:ed:8b:2aCertificate

Extended Key Usages

Key Usages

07:71:c1:bc:fc:08:5f:97:f1:8c:6a:6a:23:c8:d3:7f:08:7d:f9Certificate

Extended Key Usages

Key Usages

a4:23:c0:04:a9:c7:70:15:42:30:e5:d2:71:be:06:54Certificate

Extended Key Usages

Key Usages

07:16:9b:8d:9c:b0:85:e5:27:53:79:2f:f9:f6:c5:6a:44:3a:10Certificate

Extended Key Usages

Key Usages

07:71:c2:62:80:b4:da:77:02:03:13:ab:bc:fa:a3:ff:ed:8b:2aCertificate

Extended Key Usages

Key Usages

07:71:c1:bc:fc:08:5f:97:f1:8c:6a:6a:23:c8:d3:7f:08:7d:f9Certificate

Extended Key Usages

Key Usages

a1:4f:98:af:e5:8b:0c:0f:fb:33:fd:9d:1d:bc:b3:87:cc:7d:99:84:56:80:44:f9:e3:7c:02:84:93:09:3b:03Signer

d7:88:00:b1:81:23:e5:2b:63:5a:cb:6b:83:e2:c4:98:7e:84:2d:03Signer

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Sections

.text Size: 110KB - Virtual size: 109KB

.rdata Size: 50KB - Virtual size: 50KB

.data Size: 4KB - Virtual size: 7KB

Nomm Size: 1.1MB - Virtual size: 1.1MB

Home Size: 512B - Virtual size: 4B

.reloc Size: 6KB - Virtual size: 6KB

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 103KB - Virtual size: 102KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Password: infected

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 243KB - Virtual size: 243KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

Password: infected

Headers

DLL Characteristics

File Characteristics

Sections

Size: 588KB - Virtual size: 1.4MB

Size: 163KB - Virtual size: 520KB

Size: 1KB - Virtual size: 10KB

Size: 35KB - Virtual size: 64KB

a4:23:c0:04:a9:c7:70:15:42:30:e5:d2:71:be:06:54
Certificate

07:16:9b:8d:9c:b0:85:e5:27:53:79:2f:f9:f6:c5:6a:44:3a:10
Certificate

07:71:c2:62:80:b4:da:77:02:03:13:ab:bc:fa:a3:ff:ed:8b:2a
Certificate

07:71:c1:bc:fc:08:5f:97:f1:8c:6a:6a:23:c8:d3:7f:08:7d:f9
Certificate

a4:23:c0:04:a9:c7:70:15:42:30:e5:d2:71:be:06:54
Certificate

07:16:9b:8d:9c:b0:85:e5:27:53:79:2f:f9:f6:c5:6a:44:3a:10
Certificate

07:71:c2:62:80:b4:da:77:02:03:13:ab:bc:fa:a3:ff:ed:8b:2a
Certificate

07:71:c1:bc:fc:08:5f:97:f1:8c:6a:6a:23:c8:d3:7f:08:7d:f9
Certificate

a1:4f:98:af:e5:8b:0c:0f:fb:33:fd:9d:1d:bc:b3:87:cc:7d:99:84:56:80:44:f9:e3:7c:02:84:93:09:3b:03
Signer

d7:88:00:b1:81:23:e5:2b:63:5a:cb:6b:83:e2:c4:98:7e:84:2d:03
Signer

.text
Size: 110KB - Virtual size: 109KB

.rdata
Size: 50KB - Virtual size: 50KB

.data
Size: 4KB - Virtual size: 7KB

Nomm
Size: 1.1MB - Virtual size: 1.1MB

Home
Size: 512B - Virtual size: 4B

.reloc
Size: 6KB - Virtual size: 6KB

.text
Size: 103KB - Virtual size: 102KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.text
Size: 243KB - Virtual size: 243KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B

.idata
Size: 2KB - Virtual size: 4KB

.tls
Size: 512B - Virtual size: 4KB

.rsrc
Size: 512B - Virtual size: 4KB

daw
Size: - Virtual size: 34.6MB

.boot
Size: 19.9MB - Virtual size: 19.9MB

.reloc
Size: 16B - Virtual size: 4KB