agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.09.7z
Sample

241119-w8p92svlbr

Malware Config

Extracted

Family

emotet

Botnet

Epoch2

192.158.216.73:80

85.214.28.226:8080

142.44.137.67:443

162.241.242.173:8080

85.152.162.105:80

62.30.7.67:443

78.24.219.147:8080

74.120.55.163:80

169.239.182.217:8080

216.208.76.186:80

95.213.236.64:8080

200.114.213.233:8080

104.131.44.150:8080

70.121.172.89:80

75.139.38.211:80

185.94.252.104:443

97.82.79.83:80

103.86.49.11:8080

79.98.24.39:8080

83.169.36.251:8080

rsa_pubkey.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Sages101*

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.gautengelectrical.co.za
Port:
587
Username:
[email protected]
Password:
*2wo)L6EXH7%
Email To:
[email protected]

Extracted

Family

lokibot

http://brokensoul.ga/Colba4/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

revengerat

Botnet

Guest

pmoses13-47804.portmap.io:47804

Mutex

RV_MUTEX

Targets

- Target
  
  https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.09.7z
Score

10^/10

agenttesla dharma emotet lokibot masslogger njrat revengerat epoch2 guest banker collection credential_access defense_evasion discovery evasion execution impact keylogger macro macro_on_action persistence privilege_escalation ransomware spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- MassLogger Main payload
- Masslogger family
  masslogger
- Njrat family
  njrat
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Revengerat family
  revengerat
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- AgentTesla payload
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Emotet payload
  Detects Emotet payload in memory.
  trojan banker
- Renames multiple (554) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- RevengeRat Executable
  stealer
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Office macro that triggers on suspicious action
  Office document macro which triggers in special circumstances - often malicious.
  macro macro_on_action
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1