agenttesla

General

Target

0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e.js
Size

576KB
Sample

240619-bfvzlsvepp
MD5

da2a00db4ad85a7c84c8e3bdd158ed5b
SHA1

fac36df9615e08267ca51c5c32db76b5d5a3b047
SHA256

0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e
SHA512

e09e36d25ccbc7b443c215adcd013c40da9d78c82ae479326c4f92b8fabc26b8fa3f6c937fdd2b717f37330999d03928c02cd98ba0c0987245e9118770976e66
SSDEEP

12288:p68zPt15vj0FBKG5UmvOvhdvHVJwvPRjgTC7oS8Qo/A5Ih:p68zPRIFBOdvHvwXyTC7o5bh

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

C2

107.175.101.198:7000

Mutex

dvNrQCwanoQ9ouuD

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6410198048:AAGgeWnhGxZeYMKJkRauoOJwGKdxJztyd4k/

Targets

- Target
  
  0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e.js
- Size
  
  576KB
- MD5
  
  da2a00db4ad85a7c84c8e3bdd158ed5b
- SHA1
  
  fac36df9615e08267ca51c5c32db76b5d5a3b047
- SHA256
  
  0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e
- SHA512
  
  e09e36d25ccbc7b443c215adcd013c40da9d78c82ae479326c4f92b8fabc26b8fa3f6c937fdd2b717f37330999d03928c02cd98ba0c0987245e9118770976e66
- SSDEEP
  
  12288:p68zPt15vj0FBKG5UmvOvhdvHVJwvPRjgTC7oS8Qo/A5Ih:p68zPRIFBOdvHvwXyTC7o5bh
Score

10^/10

agenttesla stormkitty xworm execution keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect Xworm Payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects Windows executables referencing non-Windows User-Agents
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables packed with SmartAssembly
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing credit card regular expressions
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2