agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

attachments.zip
Size

488KB
Sample

240307-qhkc8abh63
MD5

660bace33a1309cfed1eb9007b730268
SHA1

672eef78e9814eb450e8b74dc7e78e2ae96e2a21
SHA256

3b530ace3209771f676e361ebc54dfc5d992d5069db93d416cd4b60745ccc400
SHA512

e403b6ab351d464a173dc42011ed20883867247ba81e77e5643d3d7a4de635e14c927495f6944c1960a62fc63615fb6b6824d88b310f43848f74988257159222
SSDEEP

12288:WmDS22BY1Piq7p19SWp1vF1tZkCZNidsiu5kNMr2K1WqGvbL:WmcBY4q7p1971vNo07r2K1kbL

Score

10^/10

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/

Targets

- Target
  
  attachments.zip
- Size
  
  488KB
- MD5
  
  660bace33a1309cfed1eb9007b730268
- SHA1
  
  672eef78e9814eb450e8b74dc7e78e2ae96e2a21
- SHA256
  
  3b530ace3209771f676e361ebc54dfc5d992d5069db93d416cd4b60745ccc400
- SHA512
  
  e403b6ab351d464a173dc42011ed20883867247ba81e77e5643d3d7a4de635e14c927495f6944c1960a62fc63615fb6b6824d88b310f43848f74988257159222
- SSDEEP
  
  12288:WmDS22BY1Piq7p19SWp1vF1tZkCZNidsiu5kNMr2K1WqGvbL:WmcBY4q7p1971vNo07r2K1kbL
Score

1^/10
behavioral1 behavioral2
- Target
  
  226350194-050944-sanlccjavap0003-11764.rar
- Size
  
  488KB
- MD5
  
  3d0f594ee92bed02cbb787b2c50f6896
- SHA1
  
  8e61a5560a22ca39369d781af051249f703562cb
- SHA256
  
  dd417f9b28a642ad5b273b300099d785e84d8bc89514cb4c7703558de5f0d615
- SHA512
  
  32c26ab4bf9640b4529cfec87de19b83ff1d309280844b12303ae01d79483194dbac77ab8e68fbd9adfcf489dd64e5682b5a87fc39ae625d1f93aa60e911ef67
- SSDEEP
  
  12288:wmDS02BY1vuQ7pf9SWj1LdvFZwmjNWxsiu5eNMJ2GRWqevQp:wm8BYcQ7pf9Z1LDsgFJ2GR8Qp
Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  226350194-050944-sanlccjavap0003-11764.exe
- Size
  
  626KB
- MD5
  
  0d4bb5c57ce0f99b36056892cfe87f0c
- SHA1
  
  bd884e9d666bce68ef23dfa139f6477f1c50f7ab
- SHA256
  
  0301d446fd70d25f294abb066b139bdc8d5362f86d9d10ae4c5ed13e7e6f311c
- SHA512
  
  7d404dc721e4eb51f91956b96d3864ae2d2cc9e8c8464d446abf087b84466230ddea2662107b5d192369e8b2211b3616025628dc07f4eb679676144915dcaf6e
- SSDEEP
  
  12288:RhKVcnRerrRiJJGDktgdRYCryyqmsufs5BKGR9YWYn+4t8w:REGnReZeJGDikBrLqmZgBKgPKnt/
Score

10^/10

agenttesla keylogger spyware stealer trojan guloader downloader
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  Civilhortonoms/Dyretmmersken/Mealybug/Laesning.Sko
- Size
  
  348KB
- MD5
  
  edac2c2f62e371a80143df8caaec5b24
- SHA1
  
  0b7e4c090f25b6a0ffdab3e1d4e94ea3a706584b
- SHA256
  
  ae0652e2eedf1db5506d11bdf75d677c37fb7896c64435f6afdf9161235a9616
- SHA512
  
  aa37fc1656f385b4a18c2cd8edd4c6befec3b9df14fb656bbc831274c4e1708e292e0e60e26470f3159d2ab1819b39594cc854428b65028bc468c43d3d12e3be
- SSDEEP
  
  6144:uAnjNQSAw5Htnf4hUAa4bCpMcIZpToALgteXtF0h4cNjo3IWrh9l7LxCgIMtlYk2:Nj0wlWhXaPpMcIZpNgwdF4Njsn7O++
Score

3^/10
behavioral7 behavioral8
- Target
  
  Ejerkredsen/Lulledes/Filateliens31.don
- Size
  
  32KB
- MD5
  
  6fb59e59913aa4e8e262ecaea92a5912
- SHA1
  
  36443d1f834aad43a9510205a212e6dc91e54ac8
- SHA256
  
  995ee626fc426825115d09a13f22484a92cf5b05904d66f1754e2745d4644ad0
- SHA512
  
  dd135914f216d2cd56cbf551cdfada946e22127de6ad2e22c4f9bc9bcd108de0d7c98e5973b67a7c700b3c07c86dab793dbb0ebdd748ac09346a1f1e911bd9a8
- SSDEEP
  
  768:w87qjTuYvsf3fBooh3t37kn96z6D5eTr7Bn1zCGWjM8K:pcsf3fBoo9t37knYgeT3Z1zCpM1
Score

3^/10
behavioral10 behavioral9
- Target
  
  Ejerkredsen/Lulledes/Preconizing.Nig
- Size
  
  57KB
- MD5
  
  f5a06265c76853290d3b7ed1c1d3e7b9
- SHA1
  
  4083441407a629edd297d1a480a4957740b99fd1
- SHA256
  
  f15289a9086ec32c0f072940209c5c50412dde5275dac49a8d271cb53e843eab
- SHA512
  
  52ef36d8443eec762f2980b0ada477a9b74f0af2d0cedfb73015fbac04c28e85a85af4be6a4f67c6d7ee3b59b07abf6be2042465154ac3525e035947db15d6e8
- SSDEEP
  
  1536:WkR4j4yKcxRd7o7KeUwDwtPxOuCXMDerkvU:W9RK7rqPanrCU
Score

8^/10

persistence
- Modifies Installed Components in the registry
  persistence
behavioral11 behavioral12
- Target
  
  Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/indsigelse.ant
- Size
  
  50KB
- MD5
  
  fe6e4fb43bfcb1e023788a586f9de59d
- SHA1
  
  86fc49bf39c949766f9b2601f62cfb8dce864027
- SHA256
  
  7f129a12d4e161d5cfaec501713f650008eec3bae6e73928f0383ce2d563e5e1
- SHA512
  
  386f7bc255e33f6269208bf68433628f4e4b97ae535dfae238e689e62a5853e549b0cdc7a69d2c8258e668c449056d407b5b186bb42003353f5df6a2166dc757
- SSDEEP
  
  768:SrGIR2Rr+h5F/WAwCWXYI+tHdDjhq11G0JrBY2UHZ1z/VyaIvQz:SrGIRIKhz/T90YI69Djh+sPHZRI/Qz
Score

3^/10
behavioral13 behavioral14
- Target
  
  Sudsers34/Neoterist/Opslagsbindenes/Oplivelse/smreostens.oxo
- Size
  
  5KB
- MD5
  
  59b98e0096076c214b314c35cd023764
- SHA1
  
  1483583c252be4ff9d3b7bbbb1fa773138fbcf8f
- SHA256
  
  0973275a70b8ce3a128ad1528b15d08052ba000b538ff4a4dba0c02d1b0935fd
- SHA512
  
  9c3c5ec7565929f7086cb760a8a0646c01aa59c94769b977de6c1cc05070016f0a8db4ca6d06b08c899a59b41e0f787551077e7ddd479fe8f2ba8c5c60f4ac36
- SSDEEP
  
  96:a825gt+h2/Df7TJRquQOlZjGs9tFgcNYQ0OKurcDImCR:a/5gt+GfXJYuLZjG4XN9nKuBR
Score

3^/10
behavioral15 behavioral16
- Target
  
  Telekablets/krakileres/miditest/Herpetotomist.txt
- Size
  
  551B
- MD5
  
  5d758ac69779009577d4ae47cd677caa
- SHA1
  
  de67af78fe74fac9003dfe87557ceb4177c50b3b
- SHA256
  
  1070c15bf5a1a7b6e32c2e16934e9d1618bf054c3ed8118b6c56a76a4d1be9f2
- SHA512
  
  f0478f19a5ef7d87c903bc62ba220c2dbd7589f2abb3f0f3407d8103701104eb57eafd0cc01454ab22049506eaba2faf0772e33cce982e6362c08945193ef8c0
Score

1^/10
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Guloader,Cloudeye

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AgentTesla

Guloader,Cloudeye

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Modifies Installed Components in the registry

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18