agenttesla

Resubmissions

24-10-2024 21:03

241024-zv5dlathjf 1

Sharing

Copy URL

Twitter E-mail

General

Target

RNSM00439.7z
Size

106.7MB
Sample

241025-wez76azngv
MD5

63c3e9eaea5a68b2e6eb2cbe628ebbae
SHA1

00e621930a325dbf2af253f92199e720697da9c1
SHA256

3446df3ed44fb3b1c5d9da71fbb19c82b44105827aaaab34f68bc30df01a936c
SHA512

73e2d4f0393defc504ec8dc20f3c7b5d4e0452d195d42aa5442ba8c88b5b6681a19c6027c6817dc5df32e9548bf4b38e63cd0155094dd41d7e5457ed3b6383a9
SSDEEP

3145728:CTYNxP7DTS3kYmW5WiFT81N7bhgRiDqX5tv8qDu:cYNd7DTjYz5W6T81N71g+U1R6

Malware Config

Extracted

Family

tofsee

43.231.4.7

lazystax.ru

Extracted

Family

nanocore

Version

1.2.2.0

dbep.duckdns.org:54920

warqazx.strangled.net:54920

Mutex

2d2dca86-7818-426c-9e84-55f634ea61fc

Attributes

activate_away_mode
true
backup_connection_host
warqazx.strangled.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-03-07T16:37:38.065258936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54920
default_group
26thmay
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
2d2dca86-7818-426c-9e84-55f634ea61fc
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
dbep.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
computer.com

Extracted

Family

bitrat

Version

1.35

wdupdate.duckdns.org:4455

Attributes

communication_password
bfe6c14c945256de12a6add92c83b4d9
tor_process
tor

Targets

- Target
  
  RNSM00439.7z
- Size
  
  106.7MB
- MD5
  
  63c3e9eaea5a68b2e6eb2cbe628ebbae
- SHA1
  
  00e621930a325dbf2af253f92199e720697da9c1
- SHA256
  
  3446df3ed44fb3b1c5d9da71fbb19c82b44105827aaaab34f68bc30df01a936c
- SHA512
  
  73e2d4f0393defc504ec8dc20f3c7b5d4e0452d195d42aa5442ba8c88b5b6681a19c6027c6817dc5df32e9548bf4b38e63cd0155094dd41d7e5457ed3b6383a9
- SSDEEP
  
  3145728:CTYNxP7DTS3kYmW5WiFT81N7bhgRiDqX5tv8qDu:cYNd7DTjYz5W6T81N71g+U1R6
Score

10^/10

agenttesla asyncrat bitrat nanocore tofsee xmrig zgrat agilenet defense_evasion discovery evasion execution keylogger miner persistence privilege_escalation ransomware rat spyware stealer trojan upx vmprotect
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Bitrat family
  bitrat
- Detect ZGRat V2
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Nanocore family
  nanocore
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Tofsee family
  tofsee
- Xmrig family
  xmrig
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Zgrat family
  zgrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- AgentTesla payload
- Renames multiple (121) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- XMRig Miner payload
  miner
- Creates new service(s)
  persistence execution
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- System Binary Proxy Execution: InstallUtil
  Abuse InstallUtil to proxy execution of malicious code.
  defense_evasion
- System Binary Proxy Execution: Regsvcs/Regasm
  Abuse Regasm to proxy execution of malicious code.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Cryptocurrency Miner
  Makes network request to known mining pool URL.
  miner
- Drops startup file
- Executes dropped EXE
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1