agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

New Text Document.zip
Size

1KB
Sample

231202-awj2lsha48
MD5

6928fa91ca64fae96060f50f7b1d2812
SHA1

ce23e21e0db4097037a1760285f447c6f72d6cdb
SHA256

449be8b7045888171621f844a0fbd92c7e79b7b1dbee7b9060224cc3be69e955
SHA512

981f615fc6e2c64566b0f97c068b68548fe87f265a7f12c7b77608bbbf4b2a593fa9268f2068818b23a28da271ed816858c9a65e0fcec71bb046c8093d5dc14b

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.siscop.com.co
Port:
21
Username:
[email protected]
Password:
+5s48Ia2&-(t

Extracted

Credentials

Protocol: ftp
Host:
ftp.experthvac.ro
Port:
21
Username:
[email protected]
Password:
-8{jszMOY*Z8(~Za0#jyP%o7VoB.0)kk^)7_

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.siscop.com.co
Port:
21
Username:
[email protected]
Password:
+5s48Ia2&-(t

Extracted

Family

stealc

http://77.91.76.36

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

lokibot

https://sempersim.su/a14/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

https://sempersim.su/a16/fre.php

Extracted

Family

vidar

Version

6.7

Botnet

52d67d34ad338b1aab9d89c0da5a59b1

https://t.me/s4p0g

https://steamcommunity.com/profiles/76561199575355834

Attributes

profile_id_v2
52d67d34ad338b1aab9d89c0da5a59b1

Extracted

Family

lumma

http://whethergaseoatra.pw/api

Targets

- Target
  
  New Text Document.zip
- Size
  
  1KB
- MD5
  
  6928fa91ca64fae96060f50f7b1d2812
- SHA1
  
  ce23e21e0db4097037a1760285f447c6f72d6cdb
- SHA256
  
  449be8b7045888171621f844a0fbd92c7e79b7b1dbee7b9060224cc3be69e955
- SHA512
  
  981f615fc6e2c64566b0f97c068b68548fe87f265a7f12c7b77608bbbf4b2a593fa9268f2068818b23a28da271ed816858c9a65e0fcec71bb046c8093d5dc14b
Score

10^/10

agenttesla amadey gh0strat lokibot lumma purelogs sectoprat stealc vidar zgrat 52d67d34ad338b1aab9d89c0da5a59b1 collection discovery evasion keylogger persistence rat spyware stealer themida trojan upx
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect PureLogs payload
- Detect ZGRat V1
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- PureLogs
  PureLogs is an infostealer written in C#.
  stealer purelogs
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- UAC bypass
  evasion trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Windows security bypass
  evasion trojan
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- Sets file execution options in registry
  persistence
- Sets service image path in registry
  persistence
- Stops running service(s)
  evasion
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  New Text Document.exe
- Size
  
  4KB
- MD5
  
  a239a27c2169af388d4f5be6b52f272c
- SHA1
  
  0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
- SHA256
  
  98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
- SHA512
  
  f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
- SSDEEP
  
  48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
Score

10^/10

agenttesla lokibot purelogs sectoprat stealc vidar zgrat 52d67d34ad338b1aab9d89c0da5a59b1 collection discovery keylogger persistence rat spyware stealer trojan upx
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect PureLogs payload
- Detect ZGRat V1
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- PureLogs
  PureLogs is an infostealer written in C#.
  stealer purelogs
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Sets file execution options in registry
  persistence
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral2