General

  • Target

    agentesla.7z

  • Size

    1.0MB

  • Sample

    241023-sclefayakr

  • MD5

    7635f5e2201bbfd35839af4370861d17

  • SHA1

    f53637cfc9c798946aecd0842b2e3e3e47070b17

  • SHA256

    818d6ad42f3e392fd415226c37ff05575fa913df3bc9493ea70837afffb9a2ac

  • SHA512

    b8b2680c95d1d8eda7ddfd823d5e4c76c87de4935b9634f6fcc2d076888e1ec79b2e738e2e115ec76fa5faa27975fafeeb34cc87f8dcbf7072269b6fa1f5742d

  • SSDEEP

    24576:fvvCceYN55QUPjSgBDeyL91I24lCBihe2uGKQwgqM6/bOujplG:PCaN5isSgZe81IVhZuGLwgsbnjTG

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    graceofgod@amen

Extracted

Family

agenttesla

Credentials

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.apexrnun.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    %qroUozO;(C2Rlyb

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.ercolina-usa.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    uy,o#mZj8$lY

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

104.129.27.19:6606

104.129.27.19:7707

104.129.27.19:8808

Mutex

ppUf6LQ00ujy

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

104.129.27.19:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %WinDir%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_lojuxaaqmwpnhvc

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      agentesla/00c0a561a336fa0fff7f424c06c32ba0034970f890715693f8c58115ac45912b

    • Size

      234KB

    • MD5

      b772ba158b117ed888c6806ec8e1c982

    • SHA1

      76a72cea71589e6452671a8b537e30b1af3d7f01

    • SHA256

      00c0a561a336fa0fff7f424c06c32ba0034970f890715693f8c58115ac45912b

    • SHA512

      67a9dc5983e290f2b6e7d50b949e8e8bea1fe43bc446615c125aa9749149e974c87fc1ffd55d1de6f52e8ec177b1191356cffef7bb9ecf56d2c05890ada96358

    • SSDEEP

      3072:fDZmyuyGLY/EsbHKHpBTkPajL5C0IDQH:fDZmyuyGLY/EsbHKJBbjNIU

    Score
    3/10
    • Target

      agentesla/04ec444b81fb470e6021f3600bdc6b3abd8bd4c73b5646defd50dc9c1f57b2f8

    • Size

      234KB

    • MD5

      4642b73150f1a3e86ce31e82fa522a2e

    • SHA1

      be8a4d33a3fe2db41c6c543b423f95f9a2bff5ef

    • SHA256

      04ec444b81fb470e6021f3600bdc6b3abd8bd4c73b5646defd50dc9c1f57b2f8

    • SHA512

      65fe81e01b600c0c1d1f42d7dcd70a7b7e972e25ab5445dc922d54b05e7be9983c6c32652f026c56b10dafc65d0b0b4d7895a64e222eddd197dc4e6012ad6b77

    • SSDEEP

      3072:SblxVZlUPtRbJbJwrdfRdnlugvinu5FI1x2+:SblxVZlUPtRbJurdfzlxanF1g

    Score
    3/10
    • Target

      agentesla/0589b1a23462a22c92aba14d099cdca5d8be0b78d333de15a8de5e3881ba5ac3

    • Size

      317KB

    • MD5

      d53c8b2c992c576711eb31d722504a5c

    • SHA1

      7f7fa9fbf6ccf7f0df15285c9bf7bb3c8252b0df

    • SHA256

      0589b1a23462a22c92aba14d099cdca5d8be0b78d333de15a8de5e3881ba5ac3

    • SHA512

      45e2bf5b0d2bd41268b2bffff3acb1886dd5ec1418a2033ec205e633a1358077240c1b6dd8d92bc49a8f16b09cfd58e70257758de100d20443161a6ee61b2807

    • SSDEEP

      3072:oZJZ7D9EFYEQ8wkN3dKjoyuPdyevUJ9f3QU8tE4K3t4l0dzymZr3GRPkmry:u3qFYEQ8wkN3cFqdiJ8ts4lOnmk

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      agentesla/06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871

    • Size

      366KB

    • MD5

      b29263b5d35ffce3eef6a54549966724

    • SHA1

      23d474b87f0698a3c954aeeffc9e2b7777aa8731

    • SHA256

      06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871

    • SHA512

      ecdb4111613d82b06d23cb6d57ce0c1e48f06e8fa44e9c32a478a58e377bfe3170037e049035cc8b90dda74b228e52962035378c8b01cf9c6c2bd9120aaf7688

    • SSDEEP

      6144:OOTNj/znzNEu816TkUzhD6dmo9FUiK2FpSMtZSYVM/SxRCVEt1Lakl:3j/znzNEu816T5zhD6Yq5Fp37SYbTaML

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Async RAT payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Target

      agentesla/06f3088733eb1658bf5ea5bba40773e1803262da05bb837793e1388ca37aac1c

    • Size

      234KB

    • MD5

      cd5d067043b02c9ccf956888231533de

    • SHA1

      3ba662f0e1673177ad700787263dec54582bbab0

    • SHA256

      06f3088733eb1658bf5ea5bba40773e1803262da05bb837793e1388ca37aac1c

    • SHA512

      65ab60885535fe711342e684d4d101ffb895275ab41f141467d047f1ddbe13cc2afbffb5719470ca8e1039a2915bb6c8ff66981fb100ef215eecb7f44095b8c6

    • SSDEEP

      3072:W41rvGyuyzij5bJROtGwtNs1j57LLzPuUl:W41rvGyuyzij5bJROtptNs1lvz3

    Score
    3/10
    • Target

      agentesla/071493a405eafb4ef8d835b9c34e6214de90efe7bed6ebff2644e7eb0a5ea21e

    • Size

      238KB

    • MD5

      d1cfc3e1b12d9d3ec885154279a06c10

    • SHA1

      c4f750d1b024598d1164299e2dea2de6eb831633

    • SHA256

      071493a405eafb4ef8d835b9c34e6214de90efe7bed6ebff2644e7eb0a5ea21e

    • SHA512

      a55f90603900c130d7d8865f7a504652961f4d4e6017a66fd20279d938bcaaefe4c5382c1cae06451471bae44a16d224422041001b7d7d025912b42a5abcd250

    • SSDEEP

      3072:dd8WrHTXLcYbUKIRQwoJwqEbmcfvIHr1lPFNOH5J3qWfgL:dnrHTXLcYgKIRQEPbDvIHTF4nqo

    Score
    3/10
    • Target

      agentesla/08bcd543875afc446c8fb959a0b46e3c33a59cd813816490c57085f3952a55f5

    • Size

      216KB

    • MD5

      596932a4b7dc0747282dee53618160af

    • SHA1

      b06cef1a56cd259f22bd4a34e88f0f2d9da9d3d6

    • SHA256

      08bcd543875afc446c8fb959a0b46e3c33a59cd813816490c57085f3952a55f5

    • SHA512

      cbf86e1fd4e7dc8b2a65cf1c8f41542901509e3993b7b2d3bd6d3ab6b16a8abdeb703ff2d9f636a3ffe5b7174ea7cbad2a3c2d9bbafe728731fd6c9640a177ee

    • SSDEEP

      6144:XTaYQMMO9U3w7h3wjuVHEmeGSMsBKbG1U:XTaYQMlwy3wjuVHEmeGQJ

    Score
    3/10
    • Target

      agentesla/0a733b1668fe2f6642d326abbf56034b7024564b9f81f142bb84f8acba93653d

    • Size

      220KB

    • MD5

      8f39380c77459bce9cee20d3e178167d

    • SHA1

      3fa5464ce966dd66e84beab6c1da49cbf7e2d8b4

    • SHA256

      0a733b1668fe2f6642d326abbf56034b7024564b9f81f142bb84f8acba93653d

    • SHA512

      8c1134b500c9c6e728b8c7ff2c320fc7b4afda0a533860c6ea6eeddcdadd20eb610d375fa458bc2d4fa506bb9da536d6c76f7c9ae6e1674f6f9c96ae57083a97

    • SSDEEP

      6144:UWlLbtYiFiUP18ULpjGH+mIdHI//PE+tWAst5D:d9Yib1VpjGH+mIdHI//PBIAw

    • Drops file in Drivers directory

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Target

      agentesla/0a9e668b23fdd273acb8ac8096e435e09f581d67203cf2475ef6f90e6b0965e2

    • Size

      237KB

    • MD5

      4f9ade14f96d7c93f918682e5edb11fe

    • SHA1

      6955a5974802c075aacefd6836e73cd1b68a02e4

    • SHA256

      0a9e668b23fdd273acb8ac8096e435e09f581d67203cf2475ef6f90e6b0965e2

    • SHA512

      9729c9a162815f923f902f8edbd270d6b9e66409e6fa76eab7bbb8e581b7c6bf44f8898485f48a578dcd44c7259be2855ccab45475b55468668bf504a9aba23c

    • SSDEEP

      3072:eFS5h5B5RGyPBQob8aJPoH0FfIn57N0OUJW:ek5h5B5RTBH4QPoH0FfIX0r

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      agentesla/0aab30131f78d4a2565ceecc5f11800263dd49c7c4f010b8c51617bfe76370f7

    • Size

      216KB

    • MD5

      20344385056de9197b8005cef01f09ad

    • SHA1

      30c082df2694a73e8e225695dd8a43aba8fc5f59

    • SHA256

      0aab30131f78d4a2565ceecc5f11800263dd49c7c4f010b8c51617bfe76370f7

    • SHA512

      369893b56f7c09a897f4a4719301fbad21f75f428286236a19149f3873ba55d1ece52f3560156d12248bfd3b4fc59b35bcea3b819857cd4083ebdf2cea828586

    • SSDEEP

      6144:ATaYQMMO9U3w7h3wjuVHEmeGSMsBKbG1U:ATaYQMlwy3wjuVHEmeGQJ

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Target

      agentesla/0ac34ce3065de2dac257227088c89592b8ae4e61706a0c1598870ac8eef835ce

    • Size

      238KB

    • MD5

      8bf24d729bb8ee07098958a26e8e74a6

    • SHA1

      1fa5a97780cdd18a23585e05e073b0f39c0e744d

    • SHA256

      0ac34ce3065de2dac257227088c89592b8ae4e61706a0c1598870ac8eef835ce

    • SHA512

      932b38be5d7ea3dcf0012a5643f06be7ea19b4f736781bfdb08441fa521337445d2bd86b44c4ea4036bd5415c5fef1a0cbe0984f3d0f8fbc9aea3ac509bb6dde

    • SSDEEP

      3072:dtx5f7HLPsTVGZs2zgKT+diH5G0Fl0CM5:R5f7HLPsTVGZs2zf6difFl3

    Score
    3/10
    • Target

      agentesla/0b37019099dde1c099b071932815a725c85df546cbc156fc6db28fd0dc46e934

    • Size

      164KB

    • MD5

      eb57a2afeb9ad289051f6d3533d600d0

    • SHA1

      f5ddd043da6d278c8c9d17024226b01c29b310d4

    • SHA256

      0b37019099dde1c099b071932815a725c85df546cbc156fc6db28fd0dc46e934

    • SHA512

      f8152df5fa8066cd786eabdddd42335173f5452dc9bd5a2d1d2d3d493c670f1727abc854c18fcb9b0c212a2ddf08312e02b77b62db171d2b2c2e7d62e5afc022

    • SSDEEP

      3072:OzvYkZ4Hl93N1QrfwFimWszlut0qkNVIMRuclyKGxOS8lMFdg8Fy:pHlZvQ7wv7utiNRlS8EO

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Target

      agentesla/0cb8eb139ca9874d3cf55541e6c7c8bf2810e0891454f4714e9f93d7fcc2131c

    • Size

      234KB

    • MD5

      e4077c91084df7d8b51e7a01a89ac653

    • SHA1

      610f88b0cd9ebbf509167a06b483d1520cc7ead7

    • SHA256

      0cb8eb139ca9874d3cf55541e6c7c8bf2810e0891454f4714e9f93d7fcc2131c

    • SHA512

      37c7d97b6a00ff3d51a4e098f73835e1478484eff28ef4c6fc3c415a50a190c66e4490304c5b71354c0072203753c7054a7af89579d4b1869d735515626373b9

    • SSDEEP

      1536:i9Tyzlxf7vj1TD7b87c5Qmb8XCuCqyW/kqqJHkn4Byq5Xbgc9XmJI3wZ2/eK:AKrf7vj1TPbccVbXWxunyq5rgSmJIv

    Score
    3/10
    • Target

      agentesla/0d558324d41e1186934cf86814f31bbfc9cf376476f9d274f093a6e72f1dc99f

    • Size

      166KB

    • MD5

      c4b5ba9636a769f2233050b9b7a73a86

    • SHA1

      cd4dd2e842bd734be82ac1a409e7dff915f72311

    • SHA256

      0d558324d41e1186934cf86814f31bbfc9cf376476f9d274f093a6e72f1dc99f

    • SHA512

      f645465170d789d35770bbe6dcac4dfdac45b6efd9d13260de287abddc54dfdbdf3750c1320d2ec1079aae3eee103e402be197aad71681844ee4a73453c4a1f2

    • SSDEEP

      3072:6BW5XE2Q5a+DYnL8kuEh2ntyH96GhZSAS0ZUjDOD:WW1ZL8l42nK/ZfS6

    Score
    3/10
    • Target

      agentesla/0f8aed3c459e2a6598e527fbd694b83816ebe911b9a89899678266a0cc1ef7ad

    • Size

      166KB

    • MD5

      0288fb68aef427d8ae345be1f6882a32

    • SHA1

      c670d3a298424da42ec7692934e00fb5db9066af

    • SHA256

      0f8aed3c459e2a6598e527fbd694b83816ebe911b9a89899678266a0cc1ef7ad

    • SHA512

      cd9cb18f2d1430c771dc6af47cb8ba5e6373c80708ccdb019a7542908d6b956b684a89f9928488742096b14f33a408a972b0148b5314e62647fe4ed3b0e2abe2

    • SSDEEP

      3072:FBW5XE2Q5a+DYnL8kuEh2ntyH96GhZSAS0ZUjDOD:3W1ZL8l42nK/ZfS6

    Score
    3/10
    • Target

      agentesla/10b4fa5dd267a1cda86efb0abea33722b911ea6972d113b66af613fd42f6f1d1

    • Size

      237KB

    • MD5

      cd31a92ec2fa4e8f90eb1218f9f85b8c

    • SHA1

      42dceb75f36d061584ceea5f34c7755031278a12

    • SHA256

      10b4fa5dd267a1cda86efb0abea33722b911ea6972d113b66af613fd42f6f1d1

    • SHA512

      445cd8b23deb30e542b4cb4f040c6ca800ded2584f6f6117bc8ad1431997f79d304e6f9df451af27ca55a27fcbf49adc9635d927c81cdd3fb8e5d9223c58a0e8

    • SSDEEP

      3072:9FS5h5B5RGyPBQob8aJPoH0FfIn57N0OUJW:9k5h5B5RTBH4QPoH0FfIX0r

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

agenttesla
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

agenttesladiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral6

agenttesladiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral7

agentteslaasyncratremcosdefaulthostdiscoveryexecutionkeyloggerpersistenceratspywarestealertrojan
Score
10/10

behavioral8

agentteslaasyncratremcosdefaulthostdiscoveryexecutionkeyloggerpersistenceratspywarestealertrojan
Score
10/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

collectioncredential_accessdiscoveryspywarestealer
Score
8/10

behavioral17

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral18

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral19

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral20

agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

agentteslacollectiondiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral24

agentteslacollectiondiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10