agenttesla

General

Target

0c09f8d34c4c4edfe724cdf02850558054581b65b6ba5c6eb863051faa97f1bc
Size

680KB
Sample

231211-jsq57ahahj
MD5

1a61a9d9c73f98620484e38c569c7fbc
SHA1

5981db3c9b970ed5cc8fbcf20152f024c22b5a77
SHA256

0c09f8d34c4c4edfe724cdf02850558054581b65b6ba5c6eb863051faa97f1bc
SHA512

be4a90d70596af5c5220dce8792f50a49525a01d3e3e6b8f9c660250b863880570a47526f6b414fab95a5f77ebf8123d9093dcf3a82c559050cdf4833072f005
SSDEEP

12288:0tTxId/AtXHx0KptwjHXLSScnhKNGvnjTd+W1fBg2pxv/w6fsez99F+G:0tTa/AthNtYHXLS513d+gFpp/wes099T

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.rolexlogisticsservice.com
Port:
587
Username:
[email protected]
Password:
0.p-TydLJ-3Z
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.rolexlogisticsservice.com
Port:
587
Username:
[email protected]
Password:
0.p-TydLJ-3Z

Targets

- Target
  
  Halkbank_Ekstre_20191102_073809_405251-PDF.exe
- Size
  
  908KB
- MD5
  
  d53f9da1e548649fad0874f345dbafc6
- SHA1
  
  2d1bcf3e6bf202bc084e0ffae51457369b841f68
- SHA256
  
  ff35d25496862b10860706136636b1001bd46f42856bd75fb4f8c32ca2fa05c0
- SHA512
  
  1e69ef400da0f31c453539bb73350c5e1a470be7fdb8983000715da22ae13a60e7dcff5a93922eddea4db0e16255bc70f3f8841c0e9a244b78b5711ca29ce361
- SSDEEP
  
  12288:9N3IU8S6eUdOvefG/C0nEScfhKJGdB6RZTdGX+BfzN/CASPKgSYtlx16wqjpkFAI:bItSAdOvLtEl5E/dGX+xz5CALySF1q
Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect ZGRat V1

ZGRat

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2