agenttesla

General

Target

c2fbfeaae8323cc8ca88ab7e7d2a80f4389d7d77870b560e9959fedee8b23827
Size

87KB
Sample

240406-bpad9sgh46
MD5

54e3c76747e04cf98283167390e3f123
SHA1

a3addc3808226149381201bb24926fb8cbfff167
SHA256

c2fbfeaae8323cc8ca88ab7e7d2a80f4389d7d77870b560e9959fedee8b23827
SHA512

576c959e486aa3b4a7f3902b27f29da9eb467b8339514f00e2fc9c83c0302b62b7778457fb54043a76e7530437836822ea7e4950b10e7783a8cd06666fd1052e
SSDEEP

1536:oLQAJg6/L6iFQzXblXAorYfwJcxSTlWoJl0ovJvWR4jmft2Ib7ADUzqbD3htV:OJgsL66ykDxSTlWoJl0ovJvWR46fJb7m

Score

10^/10

Malware Config

Extracted

Family

purecrypter

C2

http://213.199.41.33/rw/Lftspwf.pdf

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
66.29.151.236
Port:
587
Username:
senderoffice2@jahnindustry.shop
Password:
KSN9T9fAXAWh
Email To:
office2@jahnindustry.shop

Extracted

Family

xworm

Version

5.0

C2

91.92.241.169:5353

Mutex

XctZl0l6I2mIgS0k

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot5987023205:AAFlvwKv3zD3wQ2CQAewIB6uU95uBQ25ip0/sendMessage?chat_id=5202962680

aes.plain

Extracted

Credentials

Protocol: smtp
Host:
66.29.151.236
Port:
587
Username:
senderoffice2@jahnindustry.shop
Password:
KSN9T9fAXAWh

Targets

- Target
  
  c2fbfeaae8323cc8ca88ab7e7d2a80f4389d7d77870b560e9959fedee8b23827
- Size
  
  87KB
- MD5
  
  54e3c76747e04cf98283167390e3f123
- SHA1
  
  a3addc3808226149381201bb24926fb8cbfff167
- SHA256
  
  c2fbfeaae8323cc8ca88ab7e7d2a80f4389d7d77870b560e9959fedee8b23827
- SHA512
  
  576c959e486aa3b4a7f3902b27f29da9eb467b8339514f00e2fc9c83c0302b62b7778457fb54043a76e7530437836822ea7e4950b10e7783a8cd06666fd1052e
- SSDEEP
  
  1536:oLQAJg6/L6iFQzXblXAorYfwJcxSTlWoJl0ovJvWR4jmft2Ib7ADUzqbD3htV:OJgsL66ykDxSTlWoJl0ovJvWR46fJb7m
Score

10^/10

agenttesla purecrypter xworm zgrat downloader keylogger loader persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect Xworm Payload
- Detect ZGRat V1
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2