agenttesla | 4f23df8fc1b89068d863512b5eded9ef654fde2d13e540ae2044583fa428e228 | Triage

Sharing

General

Target

SwiftMessage pdf.vbe
Size

82KB
Sample

231211-syvv1aageq
MD5

fcbd6270d7c941716d0afbfe8cbb2c73
SHA1

3f7052edec4891d11a51b719280a84c5d548d87b
SHA256

4f23df8fc1b89068d863512b5eded9ef654fde2d13e540ae2044583fa428e228
SHA512

6d86c346058c25fc0078a69dbd924db3094198c00a275bd66064004b153f3bfa38a65cef45df34c5346d7e5848f24de633f3ee866d4e496ef4d527da16bb5640
SSDEEP

1536:vKL/5HxzvNKG7EpBigtyVtjev/h0NL9C03mbXtlKycwpI/5LLogLM8KGeDyUgv7Q:Sr5HxDNKG7E6gEVtj2/h0NL9C03W9lKI

Score

10^/10

agenttesla guloader downloader keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.cefin.bg
Port:
21
Username:
[email protected]
Password:
#UuXy?6cIbL+

Targets

- Target
  
  SwiftMessage pdf.vbe
- Size
  
  82KB
- MD5
  
  fcbd6270d7c941716d0afbfe8cbb2c73
- SHA1
  
  3f7052edec4891d11a51b719280a84c5d548d87b
- SHA256
  
  4f23df8fc1b89068d863512b5eded9ef654fde2d13e540ae2044583fa428e228
- SHA512
  
  6d86c346058c25fc0078a69dbd924db3094198c00a275bd66064004b153f3bfa38a65cef45df34c5346d7e5848f24de633f3ee866d4e496ef4d527da16bb5640
- SSDEEP
  
  1536:vKL/5HxzvNKG7EpBigtyVtjev/h0NL9C03mbXtlKycwpI/5LLogLM8KGeDyUgv7Q:Sr5HxDNKG7E6gEVtj2/h0NL9C03W9lKI
Score

10^/10

agenttesla guloader downloader keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaguloaderdownloaderkeyloggerpersistencespywarestealertrojan

behavioral2

agentteslaguloaderdownloaderkeyloggerpersistencespywarestealertrojan