agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00457.7z
Size

94.2MB
Sample

241011-ntp2qszgja
MD5

0c9b6bbe2d9d8bccd81434f178293a02
SHA1

4e76101a350d50677b5c3eff1f2cdc06b8a059f6
SHA256

fe681686e68278cbd393354a7f3a7a044e25cf99d8e093e0ed9342ca21423f6e
SHA512

01cbf237680737c1b44c56390cc9ae40ec2d5f14815dc9fea2d5cd793c229d3670306102376d37b9e46ec9d19940a4eb5bf3e65c221ebf96d95c74c8d0d2978b
SSDEEP

1572864:0hX+BE1eArX8iIH80O6XBipwQRqaJFTZyB/l5xLE+kLvNqyKF1+B6wONgqCGUzSc:0hX+C3X8iLoRfillyB/DNo6FYB6wOuO+

Malware Config

Extracted

Family

fickerstealer

80.87.192.115:80

Extracted

Path

C:\Users\Admin\GET_YOUR_FILES_BACK.txt

Family

avoslocker

Ransom Note

Attention! Your files have been encrypted using AES-256. We highly suggest not shutting down your computer in case encryption process is not finished, as your files may get corrupted. In order to decrypt your files, you must pay for the decryption key & application. You may do so by visiting us at http://avos2fuj6olp6x36.onion. This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/ Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website. Hurry up, as the price may increase in the following days. If you fail to respond in a swift manner, we will leak your files in our press release/blog website accessible at http://avos53nnmi4u6amh.onion/ Your ID: a897b099bf811da5f3a69ceedd351c4f9afac28b8d72f4544d4d6a521209ad24

URLs

http://avos2fuj6olp6x36.onion

http://avos53nnmi4u6amh.onion/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

gcleaner

gc-prtnrs.top

gcc-prtnrs.top

Extracted

Family

redline

Botnet

@zveryga99872

152.228.150.198:11188

Targets

- Target
  
  RNSM00457.7z
- Size
  
  94.2MB
- MD5
  
  0c9b6bbe2d9d8bccd81434f178293a02
- SHA1
  
  4e76101a350d50677b5c3eff1f2cdc06b8a059f6
- SHA256
  
  fe681686e68278cbd393354a7f3a7a044e25cf99d8e093e0ed9342ca21423f6e
- SHA512
  
  01cbf237680737c1b44c56390cc9ae40ec2d5f14815dc9fea2d5cd793c229d3670306102376d37b9e46ec9d19940a4eb5bf3e65c221ebf96d95c74c8d0d2978b
- SSDEEP
  
  1572864:0hX+BE1eArX8iIH80O6XBipwQRqaJFTZyB/l5xLE+kLvNqyKF1+B6wONgqCGUzSc:0hX+C3X8iLoRfillyB/DNo6FYB6wOuO+
Score

10^/10

agenttesla avoslocker fickerstealer gcleaner glupteba mafiaware666 metasploit onlylogger redline sectoprat stormkitty @zveryga99872 agilenet backdoor defense_evasion discovery dropper evasion execution impact infostealer keylogger loader persistence ransomware rat spyware stealer trojan upx
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Avoslocker Ransomware
  Avoslocker is a relatively new ransomware, that was observed in late June and early July, 2021.
  ransomware avoslocker
- Detect MafiaWare666 ransomware
- Disables service(s)
  evasion execution
- Fickerstealer
  Ficker is an infostealer written in Rust and ASM.
  infostealer fickerstealer
- GCleaner
  GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
  loader gcleaner
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba payload
- MafiaWare666 Ransomware
  MafiaWare666 is ransomware written in C# with multiple variants.
  ransomware mafiaware666
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- OnlyLogger
  A tiny loader that uses IPLogger to get its payload.
  loader onlylogger
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- StormKitty
  StormKitty is an open source info stealer written in C#.
  stealer stormkitty
- StormKitty payload
- AgentTesla payload
- Core1 .NET packer
  Detects packer/loader used by .NET malware.
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- OnlyLogger payload
- Creates new service(s)
  persistence execution
- Modifies Windows Firewall
  evasion
- Executes dropped EXE
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1