agenttesla

General

Target

RFQ20231031_Commercial list.vbe
Size

51KB
Sample

231101-hkr7vaea37
MD5

9885fc872331773b6748ed3886bc7957
SHA1

71bc53359b1fed0f04c81324fce95aa1b7e000d8
SHA256

faa259f6938502626581cd6d770aa9a1f13c837c19e2d433b2eff805c1e100d4
SHA512

80eeb8298b3b7e9f09e73059a8db647fb49e2b8b8fd13ad23d80c0e783e17ae27455c846722d2cdbc3151c0518205fa4426c4ad3ba275eb2bdb14869736d1600
SSDEEP

768:CV+v7O4wiyszD1F1Wa26Hsn3Fk8AUcgW5kZD9407ptajEEONE7kJC3t6AiFj0:Ay3Xz31J26H4Fk8w3mDL7mQNwkJBFj0

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.lipp.com.my
Port:
587
Username:
[email protected]
Password:
11pp@123#

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.lipp.com.my
Port:
587
Username:
[email protected]
Password:
11pp@123#
Email To:
[email protected]

Targets

- Target
  
  RFQ20231031_Commercial list.vbe
- Size
  
  51KB
- MD5
  
  9885fc872331773b6748ed3886bc7957
- SHA1
  
  71bc53359b1fed0f04c81324fce95aa1b7e000d8
- SHA256
  
  faa259f6938502626581cd6d770aa9a1f13c837c19e2d433b2eff805c1e100d4
- SHA512
  
  80eeb8298b3b7e9f09e73059a8db647fb49e2b8b8fd13ad23d80c0e783e17ae27455c846722d2cdbc3151c0518205fa4426c4ad3ba275eb2bdb14869736d1600
- SSDEEP
  
  768:CV+v7O4wiyszD1F1Wa26Hsn3Fk8AUcgW5kZD9407ptajEEONE7kJC3t6AiFj0:Ay3Xz31J26H4Fk8w3mDL7mQNwkJBFj0
Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Guloader,Cloudeye

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2