agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

Astral Spoofer.zip
Size

2.7MB
Sample

240820-y9t1qswanl
MD5

83e348240aa57c1608784559029dfcc6
SHA1

4341ab55200d4f169865f5d8fa961daf6533630a
SHA256

fc177447cdf3ff84cf9c88ab9692242e525b00ea5067e4bc3773823ac9305253
SHA512

98d9872f8db9304e424066e73089865e32ad685ebc4522bd4313194744c7c0e6664d928ecc53f19dc9394796ce2651ea925474affba1a9b8666a7c0d2ecb7c8a
SSDEEP

49152:dAF/EZS7drppV00el5KYs6z5WCPgb1mCXqUw+mQc4x6C2P67aRoO0TgSN7DPcRZM:dvoxppu0R2tonU+PX6JVoDgSNnaQkdVC

Score

10^/10

Malware Config

Targets

- Target
  
  Astral Spoofer.zip
- Size
  
  2.7MB
- MD5
  
  83e348240aa57c1608784559029dfcc6
- SHA1
  
  4341ab55200d4f169865f5d8fa961daf6533630a
- SHA256
  
  fc177447cdf3ff84cf9c88ab9692242e525b00ea5067e4bc3773823ac9305253
- SHA512
  
  98d9872f8db9304e424066e73089865e32ad685ebc4522bd4313194744c7c0e6664d928ecc53f19dc9394796ce2651ea925474affba1a9b8666a7c0d2ecb7c8a
- SSDEEP
  
  49152:dAF/EZS7drppV00el5KYs6z5WCPgb1mCXqUw+mQc4x6C2P67aRoO0TgSN7DPcRZM:dvoxppu0R2tonU+PX6JVoDgSNnaQkdVC
Score

1^/10
behavioral1 behavioral2
- Target
  
  Astral Spoofer/Astral Spoofer.exe
- Size
  
  2.3MB
- MD5
  
  c876b45319a311cafc84d44b4ea5253f
- SHA1
  
  592125ee3e6102c713d17e1f24d1845920b43778
- SHA256
  
  1c192272b1306bc6ca80a038f0fa9ce74501724311c6f53cf232d9b73e21a493
- SHA512
  
  ae53b9d792aa5de9f3737d4a1f798da058195e1301a75173e72ddac12d012314108f87e48bcc543d9650237d0e5edbed7348da04968cc81ecb40ac3b181d450f
- SSDEEP
  
  49152:eA3s/tni8VxdjEabpGD8bE5yQwodrtDT/lK6zCv:be4wUwirtlK6
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
behavioral3 behavioral4
- Target
  
  Astral Spoofer/Bootstrapper/Bootstrapper.exe
- Size
  
  128KB
- MD5
  
  c8a44ba9b317cdae796cad6a3db01fd6
- SHA1
  
  9a7854df8133e6bd539a9312b49a8533a030d36e
- SHA256
  
  0b80a52885e811d0e59318bd5feef640c7b18976c9da51e618de4d2b19b90c07
- SHA512
  
  5517f24bb118c208862a0c270379ac5698cd3a06b4e13894605adc9918cdd780aa90949c8b43d093fa335ae2921722126cf31bda1b72d690dae804682655b815
- SSDEEP
  
  3072:s/25jvDSgsqsb5Uh28vAbTV1WW69B9VjMdxPedN9ug0z9TBfFSDep:vtzsb5Uh28+V1WW69B9VjMdxPedN9ugc
Score

8^/10

discovery execution persistence
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  Astral Spoofer/Bootstrapper/READ ME.txt
- Size
  
  140B
- MD5
  
  6637f402fad6361be1559efc37e6d556
- SHA1
  
  3044bf4ed0a4758c32c25f00bbb0be7db6369f99
- SHA256
  
  82cc5e48dba17a1b14d9f23c486ed4e7571e7fd386a7ef13aefa59dd20e23a25
- SHA512
  
  0b360593c53069d1aa616341a8a7568decc1aee553126da221c5e73698f05e3ea3317740e8e9a24e9a17313574e99e0f7fad367ccb7fcd1f8d26cbf06e965fad
Score

1^/10
behavioral7 behavioral8
- Target
  
  Astral Spoofer/Disable windows defender/Defender_Settings.vbs
- Size
  
  313B
- MD5
  
  b0bf0a477bcca312021177572311e666
- SHA1
  
  ea77332d7779938ae8e92ad35d6dea4f4be37a92
- SHA256
  
  af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9
- SHA512
  
  09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8
Score

1^/10
behavioral10 behavioral9
- Target
  
  Astral Spoofer/Disable windows defender/dControl.exe
- Size
  
  447KB
- MD5
  
  58008524a6473bdf86c1040a9a9e39c3
- SHA1
  
  cb704d2e8df80fd3500a5b817966dc262d80ddb8
- SHA256
  
  1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326
- SHA512
  
  8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31
- SSDEEP
  
  6144:Vzv+kSn74iCmfianQGDM3OXTWRDy9GYQDUmJFXIXHrsUBnBTF8JJCYrYNsQJzfgu:Vzcn7EanlQiWtYhmJFSwUBLcQZfgiD
Score

7^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
behavioral11 behavioral12
- Target
  
  out.upx
- Size
  
  653KB
- MD5
  
  6970ea0b6597dcd5b4f5f19f28e958a8
- SHA1
  
  a0130bb7ac03ec4799c90781ca93fd1392c6d54c
- SHA256
  
  481e03978ca339ce697252895efe89b09fefd3098ad247d24eeb6cca9969f553
- SHA512
  
  bc95cbe9a050e3d3b713745ef399bf2817d38f8e019f6edffdd2bf755badbde766e434e39a7f32356125bba0692b694c18da8dd0762aac0c9430d45acb215e01
- SSDEEP
  
  12288:nkxDoouVA2nxKkhEvdRgQriDJOIlW+yBGQowlNCWS:RRmJkioQrilOIc+yMx
Score

1^/10
behavioral13 behavioral14
- Target
  
  Astral Spoofer/Disable windows defender/dControl.ini
- Size
  
  85KB
- MD5
  
  05450ff06366ae22654b63a6e27d1624
- SHA1
  
  11453c370f41287fb6339e509bb9d3c91842b379
- SHA256
  
  8e9a84da243905685ca77b6ef71841e610b88b7963d4de59f6dcbdd1621ecacd
- SHA512
  
  ee0a9605b566aa89c8c9b260e1d9c15aecbd6cddc2df47fe24ef2cafbe8923b3e025bd5cd3d34499292589a3c094dd796ab4560c8099bad2051a54928c37b4b2
- SSDEEP
  
  768:i/G+NmPfjsxaxdk2akexodULxEQq1wIgC+AEbSr6:1+NyjsxkKdkJdULgbWSO
Score

1^/10
behavioral15 behavioral16
- Target
  
  Astral Spoofer/Guna.UI2.dll
- Size
  
  2.1MB
- MD5
  
  c97f23b52087cfa97985f784ea83498f
- SHA1
  
  d364618bec9cd6f8f5d4c24d3cc0f4c1a8e06b89
- SHA256
  
  e658e8a5616245dbe655e194b59f1bb704aaeafbd0925d6eebbe70555a638cdd
- SHA512
  
  ecfa83596f99afde9758d1142ff8b510a090cba6f42ba6fda8ca5e0520b658943ad85829a07bf17411e26e58432b74f05356f7eaeb3949a8834faa5de1a4f512
- SSDEEP
  
  49152:cvrqKk8q2gqi2OXCt6kuSw9g8PTNTN/23uxjPHEiCAjFcm:cvrqZr
Score

1^/10
behavioral17 behavioral18
- Target
  
  Astral Spoofer/Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  195ffb7167db3219b217c4fd439eedd6
- SHA1
  
  1e76e6099570ede620b76ed47cf8d03a936d49f8
- SHA256
  
  e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
- SHA512
  
  56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
- SSDEEP
  
  12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
Score

1^/10
behavioral19 behavioral20
- Target
  
  Astral Spoofer/Newtonsoft.Json.xml
- Size
  
  696KB
- MD5
  
  d398ffe9fdac6a53a8d8bb26f29bbb3c
- SHA1
  
  bffceebb85ca40809e8bcf5941571858e0e0cb31
- SHA256
  
  79ee87d4ede8783461de05b93379d576f6e8575d4ab49359f15897a854b643c4
- SHA512
  
  7db8aac5ff9b7a202a00d8acebce85df14a7af76b72480921c96b6e01707416596721afa1fa1a9a0563bf528df3436155abc15687b1fee282f30ddcc0ddb9db7
- SSDEEP
  
  6144:XqqU+k/Rik5aG0rH3jGHdl0/IdHXpgVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QA:DU1
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  Astral Spoofer/READ ME INSTRUCIONS.txt
- Size
  
  338B
- MD5
  
  fc74c469bcd2bea7825fca0dc88daf7e
- SHA1
  
  693c4cea47760ca841571f727e8294cc37b380b5
- SHA256
  
  ec0fc87a36fc13ab1abec9bd6f48722b21214677c026d4ce8066419da99fd0a9
- SHA512
  
  17ec91ec9cbecdf54ea38a93194598e3882cb396f5da88acca30bbc96ff9984c37cd759c30a36e0adb57cca79590e7cd5be962e751637c07f778a69d027f87c7
Score

1^/10
behavioral23 behavioral24
- Target
  
  Astral Spoofer/Serialchecker.bat
- Size
  
  2KB
- MD5
  
  75e8ac5bdef839ba34532b69e1f3feb4
- SHA1
  
  beae4fe06294e10fc2831a45f2f8436cae449bf2
- SHA256
  
  c7a86fb9f079249b3bd525ea13128da103fc0bdb4764cdbbc48c8e505b0f1429
- SHA512
  
  1525242c0ae50ec12312eef0ce8be4dcf166ffb3162963e6f81f1fa230e2038a70a19f82501118ada5fef48fa8d32c1c24b2aebf08a096da8b8dcf393aed4509
Score

1^/10
behavioral25 behavioral26

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

AgentTesla payload

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

UPX packed file

AutoIT Executable

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26