agenttesla

General

Target

SecuriteInfo.com.Trojan.GenericKD.65594079.25944.10510.exe
Size

1.5MB
Sample

231211-nd9q7seed8
MD5

ee0a61b47e6676cce5c6908cfe8d9f98
SHA1

a7636fc89e3e076b1e8bdc2fa7b3ae3f7ba126c2
SHA256

be1e625483202184962d61f45c1c31c00a18063376a91ce7bae5ed72169d05f2
SHA512

cc644964da0fa26bcdfc5d92aedb6527e098fd19bbb40308df6c16b5df9aebbd5f463a59285a19081915d08dbedeedf90adda0ebcf59902ec8117777cdf2ff72
SSDEEP

24576:zU3iOHs23wM460Q9kB1dExumukxUhj4oEjqFzqMAxHbQaHhizTM8T6H:A3K8wVWe0NUhkoEjqFztAxhN46H

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.bilbonne.com
Port:
587
Username:
[email protected]
Password:
YuKPdqG2

Extracted

Family

rhadamanthys

C2

http://212.193.30.32/upload/libcurl.dll

Targets

- Target
  
  SecuriteInfo.com.Trojan.GenericKD.65594079.25944.10510.exe
- Size
  
  1.5MB
- MD5
  
  ee0a61b47e6676cce5c6908cfe8d9f98
- SHA1
  
  a7636fc89e3e076b1e8bdc2fa7b3ae3f7ba126c2
- SHA256
  
  be1e625483202184962d61f45c1c31c00a18063376a91ce7bae5ed72169d05f2
- SHA512
  
  cc644964da0fa26bcdfc5d92aedb6527e098fd19bbb40308df6c16b5df9aebbd5f463a59285a19081915d08dbedeedf90adda0ebcf59902ec8117777cdf2ff72
- SSDEEP
  
  24576:zU3iOHs23wM460Q9kB1dExumukxUhj4oEjqFzqMAxHbQaHhizTM8T6H:A3K8wVWe0NUhkoEjqFztAxhN46H
Score

10^/10

agenttesla rhadamanthys collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect rhadamanthys stealer shellcode
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Detect rhadamanthys stealer shellcode

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Loads dropped DLL

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2