agenttesla | cc4ddee264eb2d333ac1b95eb2243f7bc9699398c7f7cadd5cce1e4d7fc72c02 | Triage

Submit
Reports

Overview

overview

Static

static

serorox.zip

windows10-2004-x64

Resubmissions

01-05-2024 20:27

240501-y8n34afh2t 10

01-05-2024 20:26

240501-y736mafg71 10

Sharing

General

Target

serorox.zip
Size

15.8MB
Sample

240501-y8n34afh2t
MD5

e27ba230388a4a822fb48d12d3d7a906
SHA1

0d3ec02edbdbbd7e4e615d0663084c14a8e8b7bd
SHA256

cc4ddee264eb2d333ac1b95eb2243f7bc9699398c7f7cadd5cce1e4d7fc72c02
SHA512

d06d16289f1f714283ecd80f3c7cdcf5c90afb6a55df2283987f5791854d2ea55f04bf09a2c5e7ddb2e10cf00cb1eeff5f0fedc6f2ec5590a6e37323a4a99d3e
SSDEEP

393216:TnKgzRmCYe6kexg3P/Lwm00U9+9ge9rMkwHkMfZukCk7k:WCboxg3rwm0N9q9wkOxrI

Score

10^/10

agenttesla quasar slave keylogger spyware stealer trojan

Static task

static1

agenttesla quasar

5 signatures

Behavioral task

behavioral1

Sample

serorox.zip

Resource

win10v2004-20240419-en

agenttesla quasar slave keylogger spyware stealer trojan

windows10-2004-x64

26 signatures

150 seconds

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
5000

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

192.168.1.20:4782

Mutex

$Sxr-3vDee7FzoJnhqjuE3n

Attributes

encryption_key
LcVYe5IBs1GiJF6d5bmv
install_name
$srr-powershell.exe
log_directory
Logs
reconnect_delay
1000
startup_key
$srr-mstha
subdirectory
Windows

Targets

- Target
  
  serorox.zip
- Size
  
  15.8MB
- MD5
  
  e27ba230388a4a822fb48d12d3d7a906
- SHA1
  
  0d3ec02edbdbbd7e4e615d0663084c14a8e8b7bd
- SHA256
  
  cc4ddee264eb2d333ac1b95eb2243f7bc9699398c7f7cadd5cce1e4d7fc72c02
- SHA512
  
  d06d16289f1f714283ecd80f3c7cdcf5c90afb6a55df2283987f5791854d2ea55f04bf09a2c5e7ddb2e10cf00cb1eeff5f0fedc6f2ec5590a6e37323a4a99d3e
- SSDEEP
  
  393216:TnKgzRmCYe6kexg3P/Lwm00U9+9ge9rMkwHkMfZukCk7k:WCboxg3rwm0N9q9wkOxrI
Score

10^/10

agenttesla quasar slave keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- AgentTesla payload
- Downloads MZ/PE file
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

agentteslaquasar

behavioral1

agentteslaquasarslavekeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy