agenttesla

Resubmissions

28/10/2023, 17:05

231028-vlv2caeb35 10

28/10/2023, 17:04

231028-vln8sscd9w 10

28/10/2023, 16:52

231028-vdn8tsea66 10

Sharing

Copy URL

Twitter E-mail

General

Target

Anti Malware VS Malware Document.zip
Size

118.1MB
Sample

231028-vln8sscd9w
MD5

10381c0010548265a31da2da6f1611a3
SHA1

3f188fdca7ce79f014b3efa00b1707fb60664e72
SHA256

8f736d24115f70ad18ed620ec8c29efc805ea00e2ac72bb1e9078186488fa059
SHA512

30925324113e0bc692d38c44196b5fa78c1bdff449d361a011ab5f86ee09299071769691da1200a750a55e182e432907a58ada4c36de83ad60e6e2f2aead5445
SSDEEP

3145728:WcNV0c+BBchhJJnsNmDuzn2dOYIwWDB0tg:WcNqcAuD3gTY6wlg

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
thedress.pk
Port:
21
Username:
[email protected]
Password:
texas1234567890

Extracted

Credentials

Protocol: ftp
Host:
valvulasthermovalve.cl
Port:
21
Username:
[email protected]
Password:
LILKOOLL14!!

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

loaderbot

http://185.236.76.77/cmd.php

Extracted

Family

formbook

Version

4.1

Campaign

t6tg

Decoy

dwolfgang.com

changeandcourse.com

sonexhospitallimited.com

izeera.com

7m9.lat

fem-studio.com

santocielostore.com

0xinxg7e50de2n7q2z.site

ssongg13026.cfd

promushealth.com

g7bety.com

molinoelvinculo.com

smallthingteamwork.world

zewagripro.shop

adam-automatik.com

raquelaranibar.com

aigeniusink.com

maddirazoki.com

nextino.app

verbenashungary.com

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.greentnd.com
Port:
587
Username:
[email protected]
Password:
xAu^5p6BT2vcelhn
Email To:
[email protected]

Targets

- Target
  
  Anti Malware VS Malware Document.zip
- Size
  
  118.1MB
- MD5
  
  10381c0010548265a31da2da6f1611a3
- SHA1
  
  3f188fdca7ce79f014b3efa00b1707fb60664e72
- SHA256
  
  8f736d24115f70ad18ed620ec8c29efc805ea00e2ac72bb1e9078186488fa059
- SHA512
  
  30925324113e0bc692d38c44196b5fa78c1bdff449d361a011ab5f86ee09299071769691da1200a750a55e182e432907a58ada4c36de83ad60e6e2f2aead5445
- SSDEEP
  
  3145728:WcNV0c+BBchhJJnsNmDuzn2dOYIwWDB0tg:WcNqcAuD3gTY6wlg
Score

10^/10

agenttesla formbook loaderbot redline smokeloader zgrat pub1 t6tg backdoor evasion infostealer keylogger loader miner rat spyware stealer trojan upx vmprotect
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- LoaderBot
  LoaderBot is a loader written in .NET downloading and executing miners.
  loader miner loaderbot
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Formbook payload
  rat
- LoaderBot executable
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1