agenttesla | 403347a566bd33798ee17e8b7d546dbe8ec4123a849bf3a9b3f948b72caf0a0a | Triage

Sharing

General

Target

403347a566bd33798ee17e8b7d546dbe8ec4123a849bf3a9b3f948b72caf0a0a.vbe
Size

14KB
Sample

240924-bnbkyasakm
MD5

e5b0cb3019b7a60bd58fe2d18d75be4b
SHA1

7a35bcb814b31bb3f2d089cac43d6e0db6373a6a
SHA256

403347a566bd33798ee17e8b7d546dbe8ec4123a849bf3a9b3f948b72caf0a0a
SHA512

a54ca5b82a7c430e42c9dadb91b56e03058027fdcc2e2e8f81569d24b0e6e0032005331a1ae064632f89797334e8afd03655b2491547e93925e703f15888af40
SSDEEP

384:wCQ3GOmBsxCn5NbEDE2PlWdjSsTivPTknILvTY:q39cs85ctyjSsaPT/vc

Score

10^/10

agenttesla guloader discovery downloader execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360
Email To:
[email protected]

Targets

- Target
  
  403347a566bd33798ee17e8b7d546dbe8ec4123a849bf3a9b3f948b72caf0a0a.vbe
- Size
  
  14KB
- MD5
  
  e5b0cb3019b7a60bd58fe2d18d75be4b
- SHA1
  
  7a35bcb814b31bb3f2d089cac43d6e0db6373a6a
- SHA256
  
  403347a566bd33798ee17e8b7d546dbe8ec4123a849bf3a9b3f948b72caf0a0a
- SHA512
  
  a54ca5b82a7c430e42c9dadb91b56e03058027fdcc2e2e8f81569d24b0e6e0032005331a1ae064632f89797334e8afd03655b2491547e93925e703f15888af40
- SSDEEP
  
  384:wCQ3GOmBsxCn5NbEDE2PlWdjSsTivPTknILvTY:q39cs85ctyjSsaPT/vc
Score

10^/10

agenttesla guloader discovery downloader execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaguloaderdiscoverydownloaderexecutionkeyloggerspywarestealertrojan

behavioral2

agentteslaguloaderdiscoverydownloaderexecutionkeyloggerspywarestealertrojan