agenttesla

General

Target

0f29f01956c370d710fd8f466e2a0f68170814634f778032a34e5f02cd994791
Size

856KB
Sample

231211-kxy72aadfp
MD5

3e4915120c2a93f6c94fd365320478c2
SHA1

af336c33d6efd7b2d7d7c0890821fe896ecac6ce
SHA256

0f29f01956c370d710fd8f466e2a0f68170814634f778032a34e5f02cd994791
SHA512

0b2c09cca6a06c470d98708ac54ef0673927ace677d1f9cc36ffa04c6a9e90344b5a3fb6c5460f87e94376514d41bd10150c69e79daf0b2f4c9cde82789d1a49
SSDEEP

24576:iI/i0htioZ2d9wUrA7N9kidzJ4ufeHkuPwiSe7YNAQ:h/fti22DVkt4uWHkuPwiSCQ

Score

10^/10

Malware Config

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1183395967563747379/uiR-L8sCPAbmIk762kRjA9KmM-l1_wr48uBrF5rgQJmviD0L7w1EJt85eDdGByNRZnXH

Targets

- Target
  
  RFQ#445890_INQDEC2895PROD_Hangzhou Zhongniu_Import_Export Cos.PDF.exe
- Size
  
  920KB
- MD5
  
  5739503918d2197229995037c57b4cdf
- SHA1
  
  e70caa3ea80971d1519188b42295861a7ddccf61
- SHA256
  
  5abd7ea82a80349aa1d0444ab05e79366b616cc4adb7a437543e474fd76b0801
- SHA512
  
  9d7b98b7587fd83fa139b509c8d6ad53ef2e5b6efa16c653edc80c86a5eb9387419ba1dcd4ea4f94d9547511b2208196505e0e7c97a033643a76d6cf23a4073c
- SSDEEP
  
  24576:sNIxTCehtiox6d9ccTW7L9Cidfv4ifeHkOPwaMe7YHehJ:ccTLtii6D7mH4iWHkOPwaMOn
Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2