agenttesla

General

Target

Spyder Crypter.exe
Size

6.1MB
Sample

240915-rn7w5sxdka
MD5

746168f734d284071195168fb0b3e3f1
SHA1

e21502614b162ee01b5f9b457fb2badd1d5a1b88
SHA256

bc68e5ff990b3549cfdae99e79855354927bf0e2d0be70bb841bdb7fa2664236
SHA512

75bfe3cfabc70dc8c15a3d7cfb8c5ddb0ac36f6477c881aa0c0d612a53cb0f0b0f461c3157cc99dae107d9632c6f82f869a9ac72c0283e5cbb81a0312d8dc477
SSDEEP

196608:L8OPk7HeNvetIONQVxiGQXk2PpKuodnLmRvUy:wmveK4xU2RKumSdUy

Score

10^/10

Malware Config

Extracted

Family

limerat

Attributes

aes_key
in0c3nt
antivm
false
c2_url
https://paste.fo/raw/7ad53c7a1aa4
delay
3
download_payload
false
install
true
install_name
SysConfig.exe
main_folder
UserProfile
pin_spread
false
sub_folder
\System Configurations\
usb_spread
false

Extracted

Family

xworm

Version

5.0

C2

catcheyou.ooguy.com:34611

connectedto.mywire.org:34611

Mutex

3CSwuKoPQxO8cnod

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Targets

- Target
  
  Spyder Crypter.exe
- Size
  
  6.1MB
- MD5
  
  746168f734d284071195168fb0b3e3f1
- SHA1
  
  e21502614b162ee01b5f9b457fb2badd1d5a1b88
- SHA256
  
  bc68e5ff990b3549cfdae99e79855354927bf0e2d0be70bb841bdb7fa2664236
- SHA512
  
  75bfe3cfabc70dc8c15a3d7cfb8c5ddb0ac36f6477c881aa0c0d612a53cb0f0b0f461c3157cc99dae107d9632c6f82f869a9ac72c0283e5cbb81a0312d8dc477
- SSDEEP
  
  196608:L8OPk7HeNvetIONQVxiGQXk2PpKuodnLmRvUy:wmveK4xU2RKumSdUy
Score

10^/10

agenttesla limerat xworm defense_evasion discovery evasion execution keylogger persistence rat spyware stealer themida trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect Xworm Payload
- LimeRAT
  Simple yet powerful RAT for Windows machines written in .NET.
  rat limerat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- AgentTesla payload
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Indicator Removal: Clear Windows Event Logs
  Clear Windows Event Logs to hide the activity of an intrusion.
  defense_evasion
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1