agenttesla | 53c401f24e24cbe77b405737d35a12daed24ab8840abcfec197b9e8b5c7ff312 | Triage

Sharing

General

Target

VenomCrypter.zip
Size

13.1MB
Sample

231203-qp6vsscb36
MD5

6339a9df99f4fea3c2ab1afc78e879d9
SHA1

4ee6cc1d50730b5d48a878e4572b9958352a0755
SHA256

53c401f24e24cbe77b405737d35a12daed24ab8840abcfec197b9e8b5c7ff312
SHA512

404a6312bb344529f600193f31f2741e67ccdfb7d6d12627bd52664b89a664aee00527e20f620276ccf6082c749f3176d5bac7351fbb4e643f76127800b271bc
SSDEEP

393216:qxd4xvvYsd08zltBx0GLTN2R9hopFtUh1a:gKrzlXx13NK9+eXa

Score

10^/10

agenttesla zgrat evasion keylogger rat spyware stealer trojan

Malware Config

Targets

- Target
  
  VenomCrypter/Core/dnlib.dll
- Size
  
  1.1MB
- MD5
  
  5cc2bb48b5e8c8ac0b99669401d15456
- SHA1
  
  02e9ae08f3ec364834eb3ffc122f1c90e1b0e95e
- SHA256
  
  648950f725fb0320e09c52dcaf81764916df96dc62e7429ba67daea0acb784ea
- SHA512
  
  2867e94cee9f89f1cf85ad01083d75f4bc0bc0e551b2ffae05581828994f2b01a458ac7a7c94a45e8c40858ecce197f7ec23482ee13ef3f1bf82b33b89b3b420
- SSDEEP
  
  24576:/bN7xZgKVl/N12pljD7DM2l8xs5A/zYv7flNcK:DyJXn3ML7G
Score

1^/10
behavioral1 behavioral2
- Target
  
  VenomCrypter/Core/dotnetreactor.exe
- Size
  
  14.3MB
- MD5
  
  44b10b3b38df861e83d7fe0c06414bcd
- SHA1
  
  fc94d4422602455e01442855c8f35164ef97412d
- SHA256
  
  0133f4878d4441dad5c153b83b2cb70b510ff089814820cbfb4e88df31564c8e
- SHA512
  
  00ee844a109cc603c1308b13d4c64a71b076fec41d60f47952f333f1db3c03c389b159c0b13a39f5a4ceefdd1a5212d01c8e5e55db4bdbb8e860788087db4288
- SSDEEP
  
  196608:fk0F23nFoQ5RPoE72XoQZpChJwa/ThljpYvAksm8jb5HcT6Z:dQ3nFJQE74kpThbpM8JB
Score

10^/10

zgrat rat
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
behavioral3 behavioral4
- Target
  
  VenomCrypter/Core/venom_crypter.exe
- Size
  
  107KB
- MD5
  
  473b0559e3be87128dbf66e483150fbb
- SHA1
  
  3a710cf2366837dcdbf4ad2831044f1c594c2106
- SHA256
  
  a75977968a6ca4af41552ed47c4315c1782b12223f7001f8ae5c8547781724e0
- SHA512
  
  8e0bc5be8211504c37fc827262f8c76b6ef2811e20cbad3be3bbcdda705985e505fe6cb9255b079a0eddabe233f32a3932ec796665de8b54458e3c9730d322b6
- SSDEEP
  
  3072:bdZLLyEmnB0lc3fy000NMCUkpH2fydk0AK8QFAD1DEAPIu+bpcdjM0:ZZLLyEmnB0lcvy000NMv6H2fydIKxADm
Score

1^/10
behavioral5 behavioral6
- Target
  
  VenomCrypter/Guna.UI2.dll
- Size
  
  2.1MB
- MD5
  
  c05cf8543a06cf77ba8e3d03c1b39870
- SHA1
  
  40d53bcdc940fafccf02404866d9d917c0a84696
- SHA256
  
  f446f3daed76fa4d1fdfde1e00e9348ced91853662ba953e9beb8f0ac6450126
- SHA512
  
  07b959fab63ccf77072b70ae89f1ccc047fa4ba00fedff8503688125d9a2ca284811d4fb5c9125ff0468dd077ad2aae719b3b22067156f5c8a806f16890b9145
- SSDEEP
  
  49152:w34QXpXwn9cQPHvrkYsIJLBOrOcNTMzFon:wIQgcT
Score

1^/10
behavioral7 behavioral8
- Target
  
  VenomCrypter/SimpleObfuscator.dll
- Size
  
  1.4MB
- MD5
  
  9043d712208178c33ba8e942834ce457
- SHA1
  
  e0fa5c730bf127a33348f5d2a5673260ae3719d1
- SHA256
  
  b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c
- SHA512
  
  dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65
- SSDEEP
  
  24576:FDy7cKOfkiRrXP5WtJvW1mpjSWr7uoZme1V86:+8/AtJes1LJ
Score

1^/10
behavioral10 behavioral9
- Target
  
  VenomCrypter/VenomCrypter.exe
- Size
  
  995KB
- MD5
  
  b8f9138bd9a2c93a1b7ada47586c8202
- SHA1
  
  998850da4b2c4f5152d637222613b114338e6ba4
- SHA256
  
  54fc1ddf8dd8880f29ec3335d602de20f0b9ecafb9cd3dc9dc090ab6a1540535
- SHA512
  
  54b99cb1a821dab4a2c79560a13f637db1cae5658d2293e28c7449930052bcc35d4e92ad30a6d720224fcccf78c70aaace5c502bb8ba39e3fc7f607c2197a590
- SSDEEP
  
  24576:A6QogdyF69wA1s33ryeg5b0O9Xld7T7lY7NSe3TwHur8pOfVnnbeC13Uv8r:A5zdyF69mrU5nJ7lY7EaUHvYz
Score

10^/10

agenttesla evasion keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral11 behavioral12

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

zgratagenttesla

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

agentteslaevasionkeyloggerspywarestealertrojan

behavioral12

agentteslaevasionkeyloggerspywarestealertrojan