agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

NEAS.db2a2d7c0772591199f7d3be76fd05031487f14b888efaa626d167397130c86b.zip
Size

9.7MB
Sample

231202-mgjhraca5y
MD5

f3ea43db54841ed8d406f428557ec33e
SHA1

affd5206fb39ea0e38d2d496e7bcf57c71cc38aa
SHA256

db2a2d7c0772591199f7d3be76fd05031487f14b888efaa626d167397130c86b
SHA512

f8e3ab4715cd5edd41cf29ab97cbfcc4a67b25aa19e90f9ba0df10dd51d00013afb320f822a846a0cb326dd87aa61a3fa5179be495b70f63cc61acc177bbcdb2
SSDEEP

196608:3AJZo16QcOYIgSGOVR9gyWT0985gRdSkMgOkX+O+wV3Meys:3N7en1OVR9uT0O5qFOEmxs

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.asiaparadisehotel.com
Port:
587
Username:
[email protected]
Password:
^b2ycDldex$@
Email To:
[email protected]

Extracted

Family

stealc

http://77.91.76.36

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

risepro

195.20.16.45

Extracted

Credentials

Protocol: ftp
Host:
ftp.dzine.com.tr
Port:
21
Username:
dzinecom
Password:
Dzine21.

Targets

- Target
  
  1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3.exe
- Size
  
  623KB
- MD5
  
  8eab5e4d034fde42eb31add0cb923a97
- SHA1
  
  ac9f5a051227302049aa5136a26f30a3707db55c
- SHA256
  
  1be1eb3fc904fc5a9e9e555e3fa4a2b6a5a299917d5afa9a1570079195387fa3
- SHA512
  
  54f6f28e0ad2ba4cf968fb766d000f97afb851a6886649c7968a39a3e09eff5974455164ba0e43963a1bc5a416b1fabfd6780c55cd794011ea474bd72c2accdb
- SSDEEP
  
  12288:14uUdaP5mn0llWSQSSKJOzIT5HiSRJ56/:ydaP5mn0llNQN2OzCti2z
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  3b29f950968c3e659a25e4d65085b3c2337db74cfcc88fb7172971b1c3f13837.exe
- Size
  
  270KB
- MD5
  
  a2da34f16556914cfd1218970c90e451
- SHA1
  
  9ac22b21244777d2d2b9ae22fb551f6a0b54f4f0
- SHA256
  
  3b29f950968c3e659a25e4d65085b3c2337db74cfcc88fb7172971b1c3f13837
- SHA512
  
  58b9ec3b661c1c1f636a64ed42af507ac8aafd771eb597952b7e76ec35828d26f7b41c0c8f1a87d5e0ffd3d328ed773b7d8ab2497d1e0e806dd4552056bcf948
- SSDEEP
  
  6144:pR2kdN6l00Ul/YbyRVZXGoMFK0OK8yL7Ve:pRQ00Ul/YmGnFK0OvoQ
Score

10^/10

stealc discovery spyware stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Downloads MZ/PE file
- Deletes itself
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral3 behavioral4
- Target
  
  69cebec49aad7594157deb014e52b24580e3a6e05476aac000fd0cf7b1c3bd97.exe
- Size
  
  6.2MB
- MD5
  
  63de00cc272f7f0edb1669c406f97d96
- SHA1
  
  ca46c7257e26654586d6348f7aaf618f208693bb
- SHA256
  
  69cebec49aad7594157deb014e52b24580e3a6e05476aac000fd0cf7b1c3bd97
- SHA512
  
  16796815b914363a61ae29627913b3f327b8bde98f78b2e6780f1c5fa4086464b45dee66799c637507f9a48d9be72598caea9bae2bef32ec17803fa9b14b7bd4
- SSDEEP
  
  98304:jvV1BrPfhSqGzb7Jd8TGEjC6SZgeWxhLIzMwoUXYhLNfAMfv2goJMAWB72ozS2e:jHJPgqobVd8TQZaxRIHZCZoJMAWBv
Score

10^/10

privateloader risepro loader persistence stealer collection discovery spyware
- PrivateLoader
  PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
  loader privateloader
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral5 behavioral6
- Target
  
  cb3cd1f7db0ac8ef966e513358935676673bd972b8baad11ef0f2a8bfdb9cbe4.exe
- Size
  
  738KB
- MD5
  
  33a2aca5866de0f687e0d5d64c1feb9b
- SHA1
  
  42c8a406496525574a3954a219968db17eb7877f
- SHA256
  
  cb3cd1f7db0ac8ef966e513358935676673bd972b8baad11ef0f2a8bfdb9cbe4
- SHA512
  
  0df31bd83fb732f9c228807b1ff0897a1f58198a3d9baf544eec95dbae2d19de490a47e2217455438eed4132fb6a5b5f834e74c8210d7741914cc74e4fd65cb6
- SSDEEP
  
  12288:kI2ICYm2L/c37RaJFheLHUvGnJ6zsCMgzF+Nm3jZ738FQTft:AX27c3yQL0vyljgzAwjZj8C
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b.exe
- Size
  
  3.2MB
- MD5
  
  f23d61d5ff249493e4b55e0690d7b3e4
- SHA1
  
  a6eccac18cc49aa7fe3863afb24d3975a5cf30a8
- SHA256
  
  e164c86cf3eead4541a719f3cc5f08a7f0b36384fb8e95098116acadad23a69b
- SHA512
  
  1782f63dc64baaf47d00ad0f8cf7d04587f8da2656aedf580147387df65b9481e4fdd7a4e34c6f01dfbefc4815d42a994dc7e6e065c84d2cf9821e602ac2446f
- SSDEEP
  
  49152:3osVZWC0R4XRbTaDmixqWsOFQlrYQBDcLatzB+L0iVBH+nBz0I7C:3Z0RkRbTaDmcsOFQpEwIN+d0n
Score

5^/10
- Suspicious use of SetThreadContext
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Stealc

Downloads MZ/PE file

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

PrivateLoader

RisePro

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

AgentTesla

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10