agenttesla | 6958207d220f5e4779476143888ecc491ff86ae881e74dd1791dc5f7b57ee096 | Triage

Submit
Reports

Overview

overview

Static

static

Rybkdr.exe

windows7-x64

Rybkdr.exe

windows10-2004-x64

Sharing

General

Target

ORDER FUZETEC PO2311-000031.img
Size

1.2MB
Sample

231201-rs9arsad78
MD5

f9b1a13cd14eaba6c7e18dd17a2d274c
SHA1

bcecb8013d3fdc4715789eb20e91f2e7fa22fa54
SHA256

6958207d220f5e4779476143888ecc491ff86ae881e74dd1791dc5f7b57ee096
SHA512

b9571e87cab4fe78bc88d22de0e18137a0c315b8dbcaf3d4cd2589272ae31c97e867a20ea6b9f4082c31415692ab26917bfe15222927a20a01188f80b763d83d
SSDEEP

24576:T1uC5JT92RkNSIXtzdf1ZOS0e42xWVYknV3G/Z:8KfRdtsS0e4GIV3GR

Score

10^/10

agenttesla purelogs keylogger persistence spyware stealer trojan

Static task

static1

3 signatures

Behavioral task

behavioral1

Sample

Rybkdr.exe

Resource

win7-20231023-en

purelogs persistence stealer

windows7-x64

6 signatures

150 seconds

Behavioral task

behavioral2

Sample

Rybkdr.exe

Resource

win10v2004-20231127-en

agenttesla purelogs keylogger persistence spyware stealer trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.asiaparadisehotel.com
Port:
587
Username:
[email protected]
Password:
S,i*jv&Bj09k

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.asiaparadisehotel.com
Port:
587
Username:
[email protected]
Password:
S,i*jv&Bj09k
Email To:
[email protected]

Targets

- Target
  
  Rybkdr.exe
- Size
  
  1.1MB
- MD5
  
  d6393631100d7160ca348397cb01943d
- SHA1
  
  3ff0803ae9fd31efc74bcb29006c1cbf29b03f75
- SHA256
  
  eea977d6c736325a557a0c31552c49c51399748fc138db772735109fb6510757
- SHA512
  
  efef9bd64c68757c762a2fdbeb21cc6fc504b85dfd4f468b13504b00b365b58cd83aad3dbbc1cc12c8688d74777d69d6e09685cc9310a0cd29885f6a74fea576
- SSDEEP
  
  24576:X1uC5JT92RkNSIXtzdf1ZOS0e42xWVYknV3G/Z:AKfRdtsS0e4GIV3GR
Score

10^/10

purelogs persistence stealer agenttesla keylogger spyware trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect PureLogs payload
- PureLogs
  PureLogs is an infostealer written in C#.
  stealer purelogs
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

purelogspersistencestealer

behavioral2

agentteslapurelogskeyloggerpersistencespywarestealertrojan

© 2018-2024

Terms | Privacy