agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00468.7z
Size

103.3MB
Sample

241002-wp49vszcjn
MD5

c2df2a193d75d2ebcdaaa803a9e02d2c
SHA1

334668dc9d0cd98412cbe7c454080ec77bb840af
SHA256

d5789e5e8acb837cf697c55826769bbe7ca8b537f74924452ef5451865a99887
SHA512

90db54b7f56dba7f085315b9aa7c194aff19ec3f0650c578919be2fad93bc749e48fe427c0ff4b6a6aeeb49e26ef855f2fa0429767c90aa3fec788652806c107
SSDEEP

3145728:e4rPS3CLAi1kjT2dM/aiCj/WPb+uX4lNzid:riK1+IKPylNWd

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://cdn.discordapp.com/attachments/880265796767608892/882377555729063987/New_Text_Document.txt

Extracted

Family

djvu

http://astdg.top/fhsgtsspen6/get.php

Attributes

extension
.hoop
offline_id
922IaqlBU1I6IKX6eTDABuH3amHHwoa5qUSb8vt1
payload_url
http://securebiz.org/dl/build2.exe

http://astdg.top/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-I6qIbIYiz9 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0326gDrgo

rsa_pubkey.plain

Extracted

Path

C:\Users\Default\Saved Games\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note

Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Contact us soon, because those who don't have their data leaked in our press release blog and the price they'll have to pay will go up significantly. The corporations whom don't pay or fail to respond in a swift manner can be found in our blog, accessible at http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion Your ID: 3276b4d5d73dc9de228691c8193c374f5c83ba83341cf9405130e0095f60437b

URLs

http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion

http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion

Extracted

Path

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\ReadMe.txt

Ransom Note

Gentlemen! Your business is at serios risk . There is a significant hole in the security system of your company. We have easily penetrated your network. You should thank the Lord for being hacked by serios people not some stupid schoolboys or dangerous punks. They can damage all your important data just for fun. All files on each host in the network have been encrypted with a strong algorithm Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256. No one can help you to restore files without our special decoder. Photorec, RannoDecryptor etc. repair tools Are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet ) and attach 2 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc. )) You will receive decrypted samples and our conditions how to get the decoder. Please don't forget to write the name of your company in the subject of your e-mail. You have to pay for decryption in Bitcoins. The final price depends on how fast you write to us. Every day of delay will cost you additional BTC Nothing personal just business As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future we will recommend you special software that makes the most problems to hackers. Attention! One more time ! Do not rename encrypted files. Do not try to decrypt your data using third party software. P.S. Remember, we are not scammers. We dont need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Just send a request immediately after infection. All data will be restored absolutely. Your warranty - decrypted samples. Contact emails Primary email : [email protected] Secondary email : [email protected]

Emails

[email protected]

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.hdconstruct.ro/
Port:
21
Username:
[email protected]
Password:
Z7p[d6+Oe!0i^C85CQ]uD68jNN@ossy~wH-(ie^9O2(0011

Targets

- Target
  
  RNSM00468.7z
- Size
  
  103.3MB
- MD5
  
  c2df2a193d75d2ebcdaaa803a9e02d2c
- SHA1
  
  334668dc9d0cd98412cbe7c454080ec77bb840af
- SHA256
  
  d5789e5e8acb837cf697c55826769bbe7ca8b537f74924452ef5451865a99887
- SHA512
  
  90db54b7f56dba7f085315b9aa7c194aff19ec3f0650c578919be2fad93bc749e48fe427c0ff4b6a6aeeb49e26ef855f2fa0429767c90aa3fec788652806c107
- SSDEEP
  
  3145728:e4rPS3CLAi1kjT2dM/aiCj/WPb+uX4lNzid:riK1+IKPylNWd
Score

10^/10

agenttesla avoslocker chaos djvu gandcrab agilenet backdoor collection credential_access defense_evasion discovery evasion execution impact keylogger persistence pyinstaller ransomware spyware stealer trojan upx
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Avoslocker Ransomware
  Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
  ransomware avoslocker
- Chaos
  Ransomware family first seen in June 2021.
  ransomware chaos
- Chaos Ransomware
- Detected Djvu ransomware
- Djvu Ransomware
  Ransomware which is a variant of the STOP family.
  ransomware djvu
- GandCrab payload
- Gandcrab
  Gandcrab is a Trojan horse that encrypts files on a computer.
  ransomware backdoor gandcrab
- Modifies WinLogon for persistence
  persistence
- AgentTesla payload
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Renames multiple (164) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Blocklisted process makes network request
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Uses Tor communications
  Malware can proxy its traffic through Tor for more anonymity.
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1