agenttesla

Sharing

General

Target

ef6f63f0f49daae69b8c113f1c727a51_JaffaCakes118
Size

1.1MB
Sample

240921-km1ccatepj
MD5

ef6f63f0f49daae69b8c113f1c727a51
SHA1

84fe2a44413a22388efd6afd8ede7d0381c5588e
SHA256

8720ce143198440ad0bf5cac66c06304ab1f414d24de6c6e8184063cd45e2490
SHA512

595cb70c6a00fd7198f881a3089f9db24c1dfaffbf3a968442e083efbe222d739af28d488a81e242a8ef3ccaee6f8ed0cb0022464217fa13de746df29e71d8be
SSDEEP

24576:nfENjE6P12KjE5nPem0ft4fxZMNx3yFoJmMJfy1B:nuoKjE5nPe7ymNVymJmSyP

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

4qdc

Decoy

sdsjhgs.com

adanonce.com

ace-expertises.com

kasip.club

web2print.works

remteq.com

stillwasserkennels.com

sherepix.ltd

contouron.net

issuebeam.com

nodusentertainmenttw.com

handproofs.com

180-g.com

canrejas.com

f8ca33788f22.com

flatlandgardenning.com

skosolutionsllc.com

santiagobarrientos.com

hrvaworks.com

fungihoney.com

Targets

- Target
  
  Appraisal...exe
- Size
  
  455KB
- MD5
  
  8cc9377f480b118d4a20097795125fa1
- SHA1
  
  15b3adb3bbb8a44479506dd3dcdd7abdd1ddcfe3
- SHA256
  
  e0ca3417eb10f895ac70bee753e9fd7e549287aad340ab3f38c75c58d27657a0
- SHA512
  
  9fbf69382149e6766c6d0c9d9a296a3d91c6a96ac21ee3fd08d65c9a3da3499238b629dc6e8ca99a561e5d813acebc9bdfad815ba68637a15037e774fca48c3d
- SSDEEP
  
  12288:4NOC63GkAuNDa/S1F09ZEC7jn3VK/yjAqoBT7nM:9Z3XN4S1CXE8DV2yj07nM
Score

10^/10

agenttesla collection credential_access discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fccff8cb7a1067e23fd2e2b63971a8e1
- SHA1
  
  30e2a9e137c1223a78a0f7b0bf96a1c361976d91
- SHA256
  
  6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
- SHA512
  
  f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
- SSDEEP
  
  192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  056oizw.dll
- Size
  
  11KB
- MD5
  
  3b1537f7fc03d57fd1ba28e5df23403e
- SHA1
  
  739b38f636a072f057791240f655a236872d9780
- SHA256
  
  9db597caf72e1ae04bd196338acc32912aa42485046bd71a7ca75e461a09fa28
- SHA512
  
  6f9f244c2336a3b445b536b4ae56027f66850bd9b508b603a672a8ffd9645e0f03f72e4b0baa281aa9dd6a7b36a8c7a17d2bc6e4c8d34ad21e29f9d1577485ba
- SSDEEP
  
  192:beeIUr464vfrcM6Oh/+2TnYB1Rjrsb6f4rCzLom:gU8vn+W/+2MB7sGf4Gn
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  Current-value.exe
- Size
  
  210KB
- MD5
  
  0631513293a26704a9d21585a6dcaaff
- SHA1
  
  cb2b45d7d9dc2a79845413eccd319f391ab34dee
- SHA256
  
  1c2c212dbad3b81d9c6225c3a9f9f6211b10782d228a090f9aa4f038b0270663
- SHA512
  
  2d7f1ab850d08a1bd7a9b8e43b9ea60da5ac6dff9bbb311fd61ceb6f501a630492b51d36c7437c158e7ef2f7ba9ec8468b1072c00d0fee93b9e46505a6f44883
- SSDEEP
  
  6144:YqjIeZoVSe/5Yo8ENpAgzjBX/srqcr8eFpkokt:VRZo3/W3EvjJ/xcr8eso4
Score

10^/10

xloader 4qdc discovery loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader payload
  rat
- Deletes itself
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fccff8cb7a1067e23fd2e2b63971a8e1
- SHA1
  
  30e2a9e137c1223a78a0f7b0bf96a1c361976d91
- SHA256
  
  6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
- SHA512
  
  f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
- SSDEEP
  
  192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  4qjf8.dll
- Size
  
  11KB
- MD5
  
  f017a525c5109cf111948829b85b58cf
- SHA1
  
  a18a147258fb576eabd21fcdcdce5407d069fa7a
- SHA256
  
  8f78ffe74d0db1c327ed2dc2a76c07d0814ec2060b8f42c0c1cd32f631a4529f
- SHA512
  
  5d7a686b52614fb4327121f33ec27c2f0d171dfc694e1ee379cba22ec85a55d7982dd5ccdc99b38237fa0c9f1399e97a4b0a6c86220a021eda6aa1d055e88435
- SSDEEP
  
  192:XeIUUpbsC9TgImd+YszAvp72270jNBuq7NahLSzQ:/UUpbsCFk0xz2p72WkBuSNaeQ
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Property...exe
- Size
  
  881KB
- MD5
  
  e78e25af6dbb16bba58adf607214d2a0
- SHA1
  
  19a252b464ee14518bf7ab9eea7988901b06f063
- SHA256
  
  76077fb5cc22e7b6f56d291a9ba616655185ebf747718b198fa3f2f3e27e89bd
- SHA512
  
  ff1ce2be58476740eb55f27cbb59deb9e19424267aad22ae0f31855f2d2f9ea5115af361641646832b8d7d8d6421c7432b89d345dc71e5bf5c2d94eadad3c1a0
- SSDEEP
  
  6144:9qjItVnrQT3WqbDuV0Z+loyd93QL3Y2b982w952/0BBzetyXjrcqKSl+Qa3xAYrJ:UaN0RRQoIYC26plcqaQMTrtJQdI0m
Score

10^/10

snakekeylogger collection credential_access discovery keylogger spyware stealer
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral13 behavioral14
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  fccff8cb7a1067e23fd2e2b63971a8e1
- SHA1
  
  30e2a9e137c1223a78a0f7b0bf96a1c361976d91
- SHA256
  
  6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
- SHA512
  
  f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
- SSDEEP
  
  192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  qw2bjoi.dll
- Size
  
  11KB
- MD5
  
  1f4791261ddf389207ff620c31b8a6b2
- SHA1
  
  cb3b23ad207081f4f2714087f9204e98db088443
- SHA256
  
  4460a964cc786a67fef9520a88c8f9674129ada3f816e117f04381cadd7fff00
- SHA512
  
  5330f251f01cb545ddc4975652b7c0cf01f51e2207f9c8d04a2865c07d55b0ee92ee8b1ce1933ce10a92c0aef8e429fa91a87f441a50a695aab5b9016024e391
- SSDEEP
  
  192:AiaeIUTua52hH7nvTbqrPQr1Mlg/cc7ywtevcjmGheCjm:CUTuFhbnbWUrYgkktevsheC
Score

3^/10

discovery
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

AgentTesla payload

Credentials from Password Stores: Credentials from Web Browsers

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Xloader

Xloader payload

Deletes itself

Loads dropped DLL

Suspicious use of SetThreadContext

Snake Keylogger

Credentials from Password Stores: Credentials from Web Browsers

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18