agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d
Size

11KB
Sample

240417-gz9vrsff88
MD5

0e2ad53c884e25f969b3a575f4bb90bb
SHA1

81e774fe109ddc9185ad3fb68995a069ce9045e0
SHA256

990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d
SHA512

e1d6fd39e8a9fb63c5d1c28ada97529a5813ae27efc68655d5f58c3f65f431c5ffb4dd2169973738d32cb8ad62134d3931dff184793439b833258e94fb3264a9
SSDEEP

192:Gvhfn4XrNhcu214mAj+QHzdPbwPz1ULU87glpK/b26J4/2615:4fnysu2U+qzZ0ULU870gJI

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

EXDOUS

rootsaul.duckdns.org:8808

rootsaul.duckdns.org:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

Quotation

bossnacarpet.com:30902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
chrome-E5S2GX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

redline

Botnet

@cloudcosmic (https://cloudcosmic.store)

87.121.105.175:14845

Extracted

Family

amadey

Version

4.12

http://185.172.128.19

Attributes

install_dir
cd1f156d67
install_file
Utsysc.exe
strings_key
0dd3e5ee91b367c60c9e575983554b30
url_paths
/ghsdh39s/index.php

rc4.plain

Extracted

Credentials

Protocol: smtp
Host:
smtp.gfs-ld.com
Port:
587
Username:
origin@gfs-ld.com
Password:
@WlgG%V9

Extracted

Family

redline

Botnet

Test1234

185.215.113.67:26260

Extracted

Family

lumma

https://pushjellysingeywus.shop/api

https://entitlementappwo.shop/api

https://economicscreateojsu.shop/api

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
viorel5000@yandex.ru
Password:
fknhxyuavrcsphhd
Email To:
viorel5000@yandex.ru

Targets

- Target
  
  990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d
- Size
  
  11KB
- MD5
  
  0e2ad53c884e25f969b3a575f4bb90bb
- SHA1
  
  81e774fe109ddc9185ad3fb68995a069ce9045e0
- SHA256
  
  990d1ff1ab883a9bacbbb6abcf975139d9ab359b74ffba16f1fa7a66a30e935d
- SHA512
  
  e1d6fd39e8a9fb63c5d1c28ada97529a5813ae27efc68655d5f58c3f65f431c5ffb4dd2169973738d32cb8ad62134d3931dff184793439b833258e94fb3264a9
- SSDEEP
  
  192:Gvhfn4XrNhcu214mAj+QHzdPbwPz1ULU87glpK/b26J4/2615:4fnysu2U+qzZ0ULU870gJI
Score

10^/10

amadey asyncrat redline remcos xmrig zgrat @cloudcosmic (https://cloudcosmic.store)exdous quotation evasion infostealer miner persistence rat trojan vmprotect lumma risepro xworm test1234 bootkit collection discovery spyware stealer agenttesla dcrat quasar stormkitty keylogger
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detect Xworm Payload
- Detect ZGRat V1
- Lumma Stealer
  An infostealer written in C++ first seen in August 2022.
  stealer lumma
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- XMRig Miner payload
  miner
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Async RAT payload
  rat
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Creates new service(s)
  persistence
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses Microsoft Outlook profiles
  collection
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5