agenttesla

General

Target

406a95c63d5761ed857b11e2849b913a44cfbcd8aa8f56f40e2f9121d1c789fb.exe
Size

89KB
Sample

240509-btgzxaag2x
MD5

aee13dc2462d2e635023dbac575b6134
SHA1

569deb74a86fe717c17067089012d5ec577d06ae
SHA256

406a95c63d5761ed857b11e2849b913a44cfbcd8aa8f56f40e2f9121d1c789fb
SHA512

b398555a6fcd60033391c4489fa87f38080f8bdc35c93a526403d4a922118626343a88967ede5104ef9c73269ded93335461a74309179e679519947df0cb29ef
SSDEEP

1536:8yEsqd/sl6nMMcRhVTp475tLInd5qkSxg0Jri82Q3L8WNOOUn6LsIh1tQeF6:PEjd2McHV1StLoKDxTsn64INQeF6

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
OBC#75@tsGreenPass@5974a
Email To:
[email protected]

Targets

- Target
  
  406a95c63d5761ed857b11e2849b913a44cfbcd8aa8f56f40e2f9121d1c789fb.exe
- Size
  
  89KB
- MD5
  
  aee13dc2462d2e635023dbac575b6134
- SHA1
  
  569deb74a86fe717c17067089012d5ec577d06ae
- SHA256
  
  406a95c63d5761ed857b11e2849b913a44cfbcd8aa8f56f40e2f9121d1c789fb
- SHA512
  
  b398555a6fcd60033391c4489fa87f38080f8bdc35c93a526403d4a922118626343a88967ede5104ef9c73269ded93335461a74309179e679519947df0cb29ef
- SSDEEP
  
  1536:8yEsqd/sl6nMMcRhVTp475tLInd5qkSxg0Jri82Q3L8WNOOUn6LsIh1tQeF6:PEjd2McHV1StLoKDxTsn64INQeF6
Score

10^/10

agenttesla purelogstealer zgrat keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- PureLog Stealer
  PureLog Stealer is an infostealer written in C#.
  stealer purelogstealer
- PureLog Stealer payload
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect ZGRat V1

PureLog Stealer

PureLog Stealer payload

ZGRat

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2