agenttesla

General

Target

9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3vbs.vbs
Size

54KB
Sample

231205-wtr54aec49
MD5

efe89d1da63404c434d56b59b1c3c6bd
SHA1

51d3bd2d1bc60a598f6fb26613732d3c3444dd92
SHA256

9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3
SHA512

bb4e6a91649558d1933039a589a28a80455610b1199d05f3b9b5b15ecd22352fb7df6e91ed579ed0cdce120d157b374062cb755e95674a85fe0db7985a5e7952
SSDEEP

768:xrjq4Kw/FiEVWKbkNJFuABuTunNWQwB4JAkIx3TUqtp8s:R+4JdNbkLFuAgiEQw2J5STz2s

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.mcmprint.net
Port:
21
Username:
[email protected]
Password:
pK@7[r0Y?XFT

Targets

- Target
  
  9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3vbs.vbs
- Size
  
  54KB
- MD5
  
  efe89d1da63404c434d56b59b1c3c6bd
- SHA1
  
  51d3bd2d1bc60a598f6fb26613732d3c3444dd92
- SHA256
  
  9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3
- SHA512
  
  bb4e6a91649558d1933039a589a28a80455610b1199d05f3b9b5b15ecd22352fb7df6e91ed579ed0cdce120d157b374062cb755e95674a85fe0db7985a5e7952
- SSDEEP
  
  768:xrjq4Kw/FiEVWKbkNJFuABuTunNWQwB4JAkIx3TUqtp8s:R+4JdNbkLFuAgiEQw2J5STz2s
Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Blocklisted process makes network request

Checks computer location settings

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2