agenttesla | e3986c9a3d1d24b0cff99c78bd92d594eeb6d2a438f14ec6a44e3ef74c86c517 | Triage

Submit
Reports

Overview

overview

Static

static

1

4lgeug.rtf

windows7-x64

4lgeug.rtf

windows10-2004-x64

1

Sharing

General

Target

4lgeug
Size

68KB
Sample

240423-xr79zaba77
MD5

fff188bebcf8468642229428227ef8ff
SHA1

ec26be493066bcbc12abcf9d4ba374309d3ded83
SHA256

e3986c9a3d1d24b0cff99c78bd92d594eeb6d2a438f14ec6a44e3ef74c86c517
SHA512

264cbbfab0e8b4bb669f2999ced07a3bdf7312601422ff8caae3a45aca1e99b5013221b99f57135169d3824b906bcbe9edcea44db879366e957c1e224648b1a0
SSDEEP

1536:eeAlB6opE4g6RP3efl4+fRfcTxaxzUMcsBbOQNqOWpx6zl+03kaOAh/zRdAe+nhM:fAlB6opE4g6R84+fRfcTEbOQYOWpxo3V

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Static task

static1

Behavioral task

behavioral1

Sample

4lgeug.rtf

Resource

win7-20231129-en

agenttesla guloader downloader keylogger spyware stealer trojan

windows7-x64

20 signatures

150 seconds

Behavioral task

behavioral2

Sample

4lgeug.rtf

Resource

win10v2004-20240412-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.elquijotebanquetes.com
Port:
21
Username:
[email protected]
Password:
4r@d15PS!-!h

Targets

- Target
  
  4lgeug
- Size
  
  68KB
- MD5
  
  fff188bebcf8468642229428227ef8ff
- SHA1
  
  ec26be493066bcbc12abcf9d4ba374309d3ded83
- SHA256
  
  e3986c9a3d1d24b0cff99c78bd92d594eeb6d2a438f14ec6a44e3ef74c86c517
- SHA512
  
  264cbbfab0e8b4bb669f2999ced07a3bdf7312601422ff8caae3a45aca1e99b5013221b99f57135169d3824b906bcbe9edcea44db879366e957c1e224648b1a0
- SSDEEP
  
  1536:eeAlB6opE4g6RP3efl4+fRfcTxaxzUMcsBbOQNqOWpx6zl+03kaOAh/zRdAe+nhM:fAlB6opE4g6R84+fRfcTEbOQYOWpxo3V
Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

behavioral2

© 2018-2024

Terms | Privacy