agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

New Text Document.exe.zip
Size

1KB
Sample

231028-tzd5badh32
MD5

0206983f12db26f622bbe73b165f126f
SHA1

e71f9fc602245a337f728e27917b0b716d3828f9
SHA256

6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128
SHA512

296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
valvulasthermovalve.cl
Port:
21
Username:
[email protected]
Password:
LILKOOLL14!!

Extracted

Family

loaderbot

http://185.236.76.77/cmd.php

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

formbook

Version

4.1

Campaign

4hc5

Decoy

amandaastburyillustration.com

7141999.com

showshoe.info

sagemarlin.com

lithuaniandreamtime.com

therenixgroupllc.com

avalialooks.shop

vurporn.com

lemmy.systems

2816goldfinch.com

pacersun.com

checktrace.com

loadtransfer.site

matsuri-jujutsukaisen.com

iontrapper.science

5108010.com

beidixi.com

21305599.com

peakvitality.fitness

osisfeelingfee.com

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.greentnd.com
Port:
587
Username:
[email protected]
Password:
xAu^5p6BT2vcelhn
Email To:
[email protected]

Extracted

Family

lokibot

http://davinci.kalnet.top/_errorpages/davinci/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Targets

- Target
  
  New Text Document.exe.zip
- Size
  
  1KB
- MD5
  
  0206983f12db26f622bbe73b165f126f
- SHA1
  
  e71f9fc602245a337f728e27917b0b716d3828f9
- SHA256
  
  6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128
- SHA512
  
  296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc
Score

10^/10

agenttesla formbook loaderbot lokibot privateloader redline smokeloader zgrat pub1 4hc5 backdoor evasion infostealer keylogger loader miner rat spyware stealer trojan upx vmprotect
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- LoaderBot
  LoaderBot is a loader written in .NET downloading and executing miners.
  loader miner loaderbot
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Formbook payload
  rat
- LoaderBot executable
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1