agenttesla

Resubmissions

17-09-2023 21:42

230917-1kqywsfc99 10

09-09-2023 02:55

06-09-2023 17:13

13-08-2023 17:31

27-06-2023 12:47

13-06-2023 16:07

Sharing

Copy URL

Twitter E-mail

General

Target

a.zip
Size

832B
Sample

230906-vrxr5aaa71
MD5

10e578867faad166dc6a8f3868cef2f4
SHA1

f541fab60d482834e90638c5aebdefe3d997174e
SHA256

6fe03f61ee89f37688356f14ee8dc2d0c001e0d43281fad29386270a9c71c92c
SHA512

38389b61e71eed9a9587900f60d59c145d070d0e02602f473c284befcd4898b1191f1982e71463c9cbe17ea36f4ec6c17d665f072e730981eae00fd805863114

Malware Config

Extracted

Family

gh0strat

182.42.105.12

Extracted

Family

amadey

Version

3.88

45.9.74.5/b7djSDcPcZ/index.php

Attributes

install_dir
0ac15cf625
install_file
yiueea.exe
strings_key
ff7b4cd5e3143e87f81788365929e6dd

rc4.plain

Extracted

Family

formbook

Version

4.1

Campaign

xy18

Decoy

ecpgbtrj.cfd

flourishaudiodrama.com

bledcerium.online

fwdnrbnm.cfd

gbohsseo.cfd

bolam3rah85.site

barstool-us.com

angelaluxury.com

promoaverage.site

paragonpediatricurgentcare.com

florescerpsicologia.com

zeajux.cfd

fyxidltp.cfd

theprettynote.com

cygoodshopgogo.top

oconnellro.pro

mmcrecordsph.online

wbtverfrgw.cfd

xiaoseo171.top

horatiothemusical.com

Extracted

Family

remcos

Botnet

Thcinc

b6079658.sytes.net:6110

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
thcinc.exe
copy_folder
Thcinc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
thcinc
mouse_option
false
mutex
Rmc-X26LV5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

nanocore

Version

1.2.2.0

discojockeylight.duckdns.org:4444

Mutex

11ab0fe1-4213-49d2-ae5d-4cc94b2030c0

Attributes

activate_away_mode
true
backup_connection_host
discojockeylight.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-06-17T07:56:57.343492536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4444
default_group
discojockeylight
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
11ab0fe1-4213-49d2-ae5d-4cc94b2030c0
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Merdeka

ascoitaliasasummer.duckdns.org:3030

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Windows Session Start.exe
copy_folder
Microsoft Media Session
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Display
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Windows Sound EndPoints
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Extracted

Family

agenttesla

https://api.telegram.org/bot5494052141:AAF2aO4sQ_tu4BOnk0pmxB995km7Mslduy0/

Extracted

Path

C:\webRef\How To Restore Your Files.txt

Ransom Note

All your documents, company files, images, etc (and there are a lot of company data) have been encrypted and the extension has been changed to .knight_l . The recovery is only possible with our help. US $14474 in Bitcoin is the price for restoring all of your data. This is the average monthly wage for 1 employee in your company. So don't even think about negotiating. That would only be a waste of time and you will be ignored. Send the Bitcoin to this wallet:1ALCiyMZWD482JKE9m3KeYVqvZRbwiE3W3 (This is your only payment address, please don't pay BTC to other than this or you won't be able to get it decrypted!) After completing the Bitcoin transaction, send an email at: http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/a6b37125-b8e6-4d51-9476-607342037e0f/ (Download and install TOR Browser (https://www.torproject.org/).[If you don't know how to use it, do a Google search!]).You will get an answer as soon as possible. I expect a message from you with the transfer of BTC Confirmation (TXID). So we can move forward to decrypt all your data. TXID is very important because it will help us identify your payment and connect it to your encrypted data.Do not use that I am here to waste mine or your time. How to buy the BTC? https://www.binance.com/en/how-to-buy/bitcoin https://www.coinbase.com/how-to-buy/bitcoin Note: Your data are uploaded to our servers before being encrypted, Everything related to your business (customer data, POS Data, documents related to your orders and delivery, and others). If you do not contact us and do not confirm the payment within 4 days, we will move forward and will announce the sales of the extracted data. ID:59f51372a1c65de2fcfbd7b0e2fdd55a3b256f6e1865109c5be43beef9779e7f

URLs

http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/a6b37125-b8e6-4d51-9476-607342037e0f/

https://www.binance.com/en/how-to-buy/bitcoin

Targets

- Target
  
  a.zip
- Size
  
  832B
- MD5
  
  10e578867faad166dc6a8f3868cef2f4
- SHA1
  
  f541fab60d482834e90638c5aebdefe3d997174e
- SHA256
  
  6fe03f61ee89f37688356f14ee8dc2d0c001e0d43281fad29386270a9c71c92c
- SHA512
  
  38389b61e71eed9a9587900f60d59c145d070d0e02602f473c284befcd4898b1191f1982e71463c9cbe17ea36f4ec6c17d665f072e730981eae00fd805863114
Score

10^/10

agenttesla amadey asyncrat dcrat fabookie formbook gh0strat nanocore privateloader redline remcos merdeka thcinc xy18 collection discovery evasion infostealer keylogger loader ransomware rat spyware stealer trojan upx vmprotect
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Fabookie payload
- Fabookie
  Fabookie is facebook account info stealer.
  spyware stealer fabookie
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Async RAT payload
  rat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Formbook payload
  rat
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses Microsoft Outlook profiles
  collection
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1