agenttesla

General

Target

25052024_1051_23052024_OSE - PO & FCST - 採購單-LT24052303183991-01.rar
Size

1.0MB
Sample

240525-mxybvadh9z
MD5

cb0ee046db848416fd6fa70bbbc5ea8a
SHA1

1725f98f7f9e53c091a11a4d9cebbda02053ebc7
SHA256

f67ae1eff47c8f1efc0044db3bc5a435a7f419e70c2361eb40d6714a4c37742a
SHA512

5d62f52cb64905776d3056bb39e8b50606de13ca3b3d49f45266894f0bd6cd0b2ba7448da2a922306f045afbd8ba58f0ebb0220499ffff1dc9c9df55c03d728f
SSDEEP

24576:QR/xqwPI4ANhE833sU+8E2OX3uO2Jdv7+a/AGpPlVSD21Dw+rGUAV:Q7quIHE8nsUPE2uN2r++DlV+2SOI

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

b64c611.ddnss.eu:3154

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
uytrs.exe
copy_folder
iu7y6tr
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
u8tus.dat
keylog_flag
false
keylog_folder
87y6trf
mouse_option
false
mutex
OIUGH6-BFBAXD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7062583539:AAFQjFwRQkLApxa503ZXmcd2CJhJK5Vjupw/

Targets

- Target
  
  OSE - PO & FCST - 採購單-LT24052303183991-01.exe
- Size
  
  15.0MB
- MD5
  
  4cbc670c79dddc759b63ded7f36a80e1
- SHA1
  
  7bf50c94959846e1c7caf521e697ee2367aabf01
- SHA256
  
  1dd45a1200496700a9a9e138a0ecf1625c981855159ceb8624fe69b8bcfe3bb5
- SHA512
  
  6bc15e6acbfdcf09e5eefc1fcc02e997ae81c2b9bcbf02df78ba6c3db8c8620130880fa2d6e49a1b3a9e7df2b4f5e428d8cb4326e6679d9e0639dc40ce099535
- SSDEEP
  
  24576:y6nVMk+HIj90cmvFMN8O6TXQRfAGWEUAxqnRAIsJumwocd5xShmC+a+OPj:xVz7tWqKTXQiTpsJr/Qx8ec
Score

10^/10

agenttesla remcos remotehost keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2