agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

Setup.ZIP
Size

4KB
Sample

240603-w9r52aga94
MD5

8f09880436e2d5218370bdffe4430d77
SHA1

e9ec604b1cefa128d7b611d88b665f079dce2b24
SHA256

2e51701c2ae78af7f1ff4d2aed64148e19d138c36c4096cae67c638e642e054e
SHA512

7990c6a2efeed4bf57812434d79f0ef968e06a460f28cd23c407f8bbb2a0f84de17309c9acd02e97dc503bb25294f39ad877a69b1f1baddef4d54c0f3f783981
SSDEEP

96:pSfd8hcsTZKP1qiJn46vGM5sXkMVijOJ5hTmT+31+1J1p1nWWjRn0:cfdy8qg46vGMekeijOJrFQV0WjRn0

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://49.13.194.118/ADServices.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=458&c=1002

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/dl.php?id=444&c=1002

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

redline

Botnet

newbild

185.215.113.67:40960

Extracted

Family

stealc

Botnet

cuapfss

http://23.88.106.134

Attributes

url_path
/6a9f8e2503d99c04.php

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.fasmacopy.gr
Port:
587
Username:
[email protected]
Password:
Fam28sjd
Email To:
[email protected]

Extracted

Family

systembc

204.137.14.135:443

Extracted

Family

stealc

Botnet

default

http://147.45.47.150

Attributes

url_path
/eb6f29c6a60b3865.php

Extracted

Family

risepro

147.45.47.126:58709

Targets

- Target
  
  Setup.ZIP
- Size
  
  4KB
- MD5
  
  8f09880436e2d5218370bdffe4430d77
- SHA1
  
  e9ec604b1cefa128d7b611d88b665f079dce2b24
- SHA256
  
  2e51701c2ae78af7f1ff4d2aed64148e19d138c36c4096cae67c638e642e054e
- SHA512
  
  7990c6a2efeed4bf57812434d79f0ef968e06a460f28cd23c407f8bbb2a0f84de17309c9acd02e97dc503bb25294f39ad877a69b1f1baddef4d54c0f3f783981
- SSDEEP
  
  96:pSfd8hcsTZKP1qiJn46vGM5sXkMVijOJ5hTmT+31+1J1p1nWWjRn0:cfdy8qg46vGMekeijOJrFQV0WjRn0
Score

1^/10
behavioral1
- Target
  
  Setup.exe
- Size
  
  12KB
- MD5
  
  a14e63d27e1ac1df185fa062103aa9aa
- SHA1
  
  2b64c35e4eff4a43ab6928979b6093b95f9fd714
- SHA256
  
  dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
- SHA512
  
  10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
- SSDEEP
  
  192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ
Score

10^/10

agenttesla amadey exelastealer kaiten lokibot phorphiex redline risepro stealc systembc targetcompany xworm @logscloudyt_bot cuapfss default newbild bootkit botnet collection discovery evasion execution exploit infostealer keylogger loader persistence ransomware rat spyware stealer trojan upx vmprotect worm
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Amadey
  Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
  trojan amadey
- Detect Xworm Payload
- Detects Kaiten/Tsunami Payload
- Detects Kaiten/Tsunami payload
- Exela Stealer
  Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
  stealer exelastealer
- Kaiten/Tsunami
  Linux-based IoT botnet which is controlled through IRC and normally used to carry out DDoS attacks.
  botnet kaiten
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Modifies security service
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- RisePro
  RisePro stealer is an infostealer distributed by PrivateLoader.
  stealer risepro
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- SystemBC
  SystemBC is a proxy and remote administration tool first seen in 2019.
  trojan systembc
- TargetCompany,Mallox
  TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
  ransomware targetcompany
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Contacts a large (8352) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (7037) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Possible privilege escalation attempt
  exploit
- Stops running service(s)
  evasion execution
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Drops Chrome extension
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral2