agenttesla

Resubmissions

19-11-2024 14:00

241119-raznlswhle 10

Sharing

Copy URL

Twitter E-mail

General

Target

https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.08.7z
Sample

241119-raznlswhle

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://paste.ee/r/WayuW

ps1.dropper

https://paste.ee/r/YTiFR

Extracted

Family

qakbot

Version

325.43

Botnet

spx158

Campaign

1597913961

31.5.21.66:443

49.191.130.48:443

86.98.56.189:443

94.96.40.90:21

24.27.82.216:2222

39.36.137.147:995

216.201.162.158:443

77.30.180.199:995

74.56.167.31:443

67.209.195.198:443

173.173.72.199:443

98.16.204.189:995

2.42.219.242:443

101.108.125.71:443

100.37.36.240:443

72.28.255.159:995

85.122.141.42:995

213.120.109.73:2222

144.202.48.107:443

94.59.241.189:995

Extracted

Family

formbook

Version

4.1

Campaign

r7m

Decoy

tvdaum.com

slipperylove.com

sajhadabali.com

rulgys.men

sexservidoras.com

jsatvi.loan

yakabuna-webshop.com

texturebarn.net

allsortofgirls.com

biologynoopsyche.net

combsenterprise.com

handsfreeleveler.com

napson.com

gabi.ltd

dengshijiapu.com

boerhesi.com

szbiqiangli.com

lizoschwald.com

fintechmundo.com

kk0799.com

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.tolipgoldenplaza.com
Port:
587
Username:
[email protected]
Password:
Golden@#$2019

Targets

- Target
  
  https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.08.7z
Score

10^/10

agenttesla ardamax bazarbackdoor formbook lokibot neshta oblique ostap qakbot spx158 1597913961 r7m backdoor banker collection credential_access discovery downloader execution keylogger persistence pyinstaller ransomware rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Ardamax
  A keylogger first seen in 2013.
  keylogger stealer ardamax
- Ardamax family
  ardamax
- Ardamax main executable
- BazarBackdoor
  Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
  backdoor bazarbackdoor
- Bazarbackdoor family
  bazarbackdoor
- Detect Neshta payload
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Neshta
  Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
  persistence spyware neshta
- Neshta family
  neshta
- Oblique family
  oblique
- ObliqueRAT
  Remote Access Trojan discovered in early 2020.
  trojan oblique
- Ostap JavaScript downloader
  Ostap is a JavaScript downloader that's been active since 2016. It's used to deliver several families, inluding TrickBot
- Ostap family
  ostap
- Qakbot family
  qakbot
- Qakbot/Qbot
  Qbot or Qakbot is a sophisticated worm with banking capabilities.
  trojan banker stealer qakbot
- ostap
  Ostap is a JS downloader, used to deliver other families.
  downloader ostap
- Formbook payload
  rat
- Renames multiple (183) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Drops file in Drivers directory
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Network Share Discovery
  Attempt to gather information on host network.
  discovery
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1