agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

C1DE15B5D043DD79DD267DD5F6D8F3EA9E15BC8A2AB63CB5FB4080CB4804C18E.zip
Size

55.1MB
Sample

241121-wthawsypbl
MD5

83b282a78dab75e8feb0a332408407a3
SHA1

9421a8b9491cde035c467356a943087fef4bd81b
SHA256

c1de15b5d043dd79dd267dd5f6d8f3ea9e15bc8a2ab63cb5fb4080cb4804c18e
SHA512

ee57318b7817c4e2bb3a71121bbe7a38360a4432299e767dcbe32e42b28e4a583da3be25f6abb32448dcdf1244b18d68faa4cb36ffae5d2a8b1f64c1ffa64ff8
SSDEEP

1572864:nNrjp0CEcC1sPpLFIN8MkpKn/RMD7m6mn9Pd:nNrjfRrPpLFVKn/RMu6mnL

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

user

45.153.230.56:9898

Mutex

3a0dd73b340192b95fd3ddf9fa526aa7

Attributes

reg_key
3a0dd73b340192b95fd3ddf9fa526aa7
splitter
|'|'|

Extracted

Family

lumma

https://scriptyprefej.store

https://navygenerayk.store

https://founpiuer.store

https://necklacedmny.store

https://thumbystriw.store

https://fadehairucw.store

https://crisiwarny.store

https://presticitpo.store

Extracted

Family

stealc

Botnet

LogsDiller

http://194.15.46.65

http://77.83.175.105

Attributes

url_path
/7e57db3b864b30f1.php

Extracted

Family

stealc

Botnet

tale

http://185.215.113.206

Attributes

url_path
/6c4adf523b719729.php

Targets

- Target
  
  010df829b95529730aa0840699e780b9176822dbefc24864ccc134a790043a28.exe
- Size
  
  2.9MB
- MD5
  
  8280e9c803dff5258a0c452549b5953c
- SHA1
  
  27ebb62ff372ffe1de06eedd3b0e1c70b2d6b6a1
- SHA256
  
  010df829b95529730aa0840699e780b9176822dbefc24864ccc134a790043a28
- SHA512
  
  a84ed79a370657385022a07e44988f3e7ebc9799ea658436ffc83a0040c258631e4db71a4c6d5d90d44ab6f375e75a8adef874a2cadbbcec9e2ff6560611b85b
- SSDEEP
  
  49152:6KTpAUwSS6eSNXM1dTPTLSoNTrR3LFG/yaRkz4sT:VTwSS6e2XM1tPTL3r9pzM
Score

10^/10

lumma discovery evasion stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  1.exe
- Size
  
  7.8MB
- MD5
  
  37f147e176952471079d4c8065fb6e00
- SHA1
  
  9e93d4c945c28fe61e2182e0d10e0934463a0ea6
- SHA256
  
  c981db0ed18cd58ec4c2f7a6f80d3e49999fbdde290ace3e4b54513d8174a8e3
- SHA512
  
  577af208371ba1501278c9cdec7fca689fdba5be60695a9009ab5bbae790a5936d65b1ed3af46a85c9343f876a66400f0786c49d58dc0d3c094245237d395763
- SSDEEP
  
  98304:MPZYxnMe4V/cJtKpGvJc5twG9Nh0AA/Sxrn4l8aC98YRO40kMMT1hxUdjX:lxMe4cxhAj48QYgqdUV
Score

10^/10

defense_evasion discovery evasion execution persistence trojan
- UAC bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Modifies RDP port number used by Windows
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  1d730b2a86c3c18be5d1fe22ee0fdd869d6ca4e01da70f53dd5722619a61b184.exe
- Size
  
  1.3MB
- MD5
  
  7dbc9073706f9681817115fa6551e145
- SHA1
  
  8c9fdb2b2eaa2974a602caa1fe672a5ca42c04cc
- SHA256
  
  1d730b2a86c3c18be5d1fe22ee0fdd869d6ca4e01da70f53dd5722619a61b184
- SHA512
  
  80afd1ac47acf47408f7f9456d9fbefa353bbdc7587880179aa7903094f29fe5fdbec04c6f5389792c3ea9f6c4515c5037d297fcd760c9cce75a767d63e5eeb3
- SSDEEP
  
  24576:ffmMv6Ckr7Mny5QLKkf/HxRXIExlIuQmRkVIEbFVL4gSh8qWw+oXGsyXeT:f3v+7/5QLK+xFfQmyVIEbFVLpWb+oXGU
Score

7^/10

discovery
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  1f4559c2464e25078e6f0ae6b99990b6607c5adc0d631d43ba380ae7de51f0c1.exe
- Size
  
  2.1MB
- MD5
  
  82ffb0d94c7f912b03d1feee6f614605
- SHA1
  
  f84ef7a098210160537648584909d6cd4f7cb6cb
- SHA256
  
  1f4559c2464e25078e6f0ae6b99990b6607c5adc0d631d43ba380ae7de51f0c1
- SHA512
  
  1cd4548cc0f382b76436d772bbf6a82f16cba6e11cd4d528e3defb5da735ea33ffe1220edbeefd409ca6b0f0b16cece159d020b1f06f6338b273ab420ccc30d5
- SSDEEP
  
  49152:n/oG96mPxsramN2DHWNJtFZkJalxLKxndQzkD8wdHTXz5E1ZLoJZA5:ngBrrN2KNvFKJa7KxKgD1HZgZLyg
Score

10^/10

stealc tale credential_access discovery evasion spyware stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  265c128a8a9421847dea2121ae5ce79efb601616c4fd060ff9863f4c2c498c2f.exe
- Size
  
  2.7MB
- MD5
  
  473c91c8363cf492cf6192686e4aeae8
- SHA1
  
  4f56b6e25bbf8bb424a3fbb398040d980850a046
- SHA256
  
  265c128a8a9421847dea2121ae5ce79efb601616c4fd060ff9863f4c2c498c2f
- SHA512
  
  09cebc8843d1f3aacc502af0e55736e24d7675ded01c7e402820cefda513d4826a7e91167cc548a1b356bf58defeaf3a456f08e24bc42d6b560382e351d73c12
- SSDEEP
  
  49152:hB7Lsq3Y5sVCMfyPfrUF8gHZrOCOox7SkPFA:hB3sGYkCOyPfru5rEoxW4FA
Score

10^/10

discovery evasion trojan
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Windows security modification
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  49432b3c2186b051d35f09423075574cc82dbac403e5a69f311d4451a5a0e3b4.exe
- Size
  
  729KB
- MD5
  
  0c6e0d5c6de6558eab55ce5fad0b8acd
- SHA1
  
  7854ebd877d57d4cb951adc174b5d463e0140688
- SHA256
  
  49432b3c2186b051d35f09423075574cc82dbac403e5a69f311d4451a5a0e3b4
- SHA512
  
  b9f5bb3942b093e48a16d7e556e2d145a7ce447e8fa789740772ac82719a5a0025121571750f8e7a30b30ea448dfc638d472d27680c61f02ce445bf39d5e051d
- SSDEEP
  
  12288:dIAk5dkePe076dLUl2UL8ad53Kbp0auXd36ipkR0OhlPN5lYA5Ff7hA:sr76F8Pld8byL3zpkR0OhR3Ff7hA
Score

10^/10

stealc logsdiller discovery stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral11 behavioral12
- Target
  
  54fa4544762fb14d407756fad69201bfaccc8db821a94e63079531d556cddeb1.exe
- Size
  
  695KB
- MD5
  
  dbfb5a1fee1df3d86b1cdba9e338b31d
- SHA1
  
  8ad3ac1b565630891c965f54f4c144da125f572c
- SHA256
  
  54fa4544762fb14d407756fad69201bfaccc8db821a94e63079531d556cddeb1
- SHA512
  
  7a9993a1031aadd95bbd903e5aa6b671153106801b07e59da752aed8975c4fda3a762af9f3edc377c5632e19279913f6aa3a183162aee885871bb07931581f85
- SSDEEP
  
  12288:oT21qIgEAUr7vJvnjBaU/n0K4TnYzUSHzYlQM7vWF6M/Ukk:oKkILAUr7v7aU/0KaU3z/MjW18kk
Score

10^/10

stealc logsdiller discovery stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral13 behavioral14
- Target
  
  66e68902e968ac5c762b7d4950df70b2ef8125d38d6884ff9e37e72542e47b68.exe
- Size
  
  1.2MB
- MD5
  
  7251aef1d7960be902f604768ff93a1a
- SHA1
  
  275dbaf6d2a5c301d9de9d8ec77cac54c8771c1f
- SHA256
  
  66e68902e968ac5c762b7d4950df70b2ef8125d38d6884ff9e37e72542e47b68
- SHA512
  
  d491be282bec8ba21f19a04f10b47360509754a5dd2578893ab71cd489053ae7704656c0aa6d9758958c651d631f4ed8c2004a3ab08aa824897396221adde0e2
- SSDEEP
  
  24576:ffmMv6Ckr7Mny5QLvxTcQ9HzBYLoz1zopMFd3B88:f3v+7/5QLvdSEfFdf
Score

10^/10

agenttesla discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  820a177b585f0a50c430e1b2ac66467cda0d96eb80b8e39ddf23079c8f2c685f.exe
- Size
  
  2.0MB
- MD5
  
  8dec1786c8e709701d60fdd14c78ba23
- SHA1
  
  e3496e09e22571195377f9c3e8a55c4b31496b86
- SHA256
  
  820a177b585f0a50c430e1b2ac66467cda0d96eb80b8e39ddf23079c8f2c685f
- SHA512
  
  4892ea3642325dfb7b49b0c5caa731b9db8b5f37e28ea21d58975be672bb268a5565b60c1b5dcaf1b3c240c61c5eaf92a8983da62bc05a0c43c08536cc809bc3
- SSDEEP
  
  49152:6Ig8rFJgWA1FOigKan2Ze5uunv4ne+vXb4SPESLs9e7P/:k8rF2AKa0g4ne+vTLJ7P/
Score

10^/10

stealc tale credential_access discovery evasion spyware stealer
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral17 behavioral18
- Target
  
  8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4.exe
- Size
  
  2.8MB
- MD5
  
  6258c0d7c31a5ba4b2b0cb9c97606acd
- SHA1
  
  123138131fc33eeeedc82e795f201981232a55b1
- SHA256
  
  8d5514730f330a6f4ae9b1807f0c77ed15975d469c7c92c10c690ed681210ed4
- SHA512
  
  9e8248a258475bf8676b041073da7985a3b0a6e57cf7293415e3dd1e6e8fd6bd0056ba4d60b33f6d4c0cfec4b3f33c43e88881c6a0f6fc52f3654ff12022875e
- SSDEEP
  
  49152:rPloaBLYs0dLLXmgmQPDWSJNCQdi2GjyIlAd28nZbmsl+S2sJaOP:rPl7ZoLbFmsPNHi2GjLAdVlqO
Score

10^/10

dcrat evasion infostealer rat trojan
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- UAC bypass
  evasion trojan
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Checks whether UAC is enabled
  evasion trojan
behavioral19 behavioral20
- Target
  
  93e14db4af6b127444c9349f6c9162f4eebba4c220378be18d63f9951cb63b0c.exe
- Size
  
  2.9MB
- MD5
  
  1279c027a5157053ead6d16bba200356
- SHA1
  
  eafac59e5bf3507f0bd289ad3919e82a994e8f7f
- SHA256
  
  93e14db4af6b127444c9349f6c9162f4eebba4c220378be18d63f9951cb63b0c
- SHA512
  
  2b16876710c9723860862c2e2ba1ecaf526a5e7de3e11c3b9e5ee2e877039d66e57fc5122fc9fbbe12ff36df66a11787144cfe54c9243455b1abe159e49c3410
- SSDEEP
  
  49152:5SLJ5lD28FyWNuea2iS+m2HnFdEZctzDdh9W2:5SLJ5lD28Fyvea2iSP2HpDdh9W
Score

10^/10

lumma discovery evasion stealer
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral21 behavioral22
- Target
  
  9770fde1f1e7fd98bedf06daa29c7451f52ad1719a0d606343846c73b34e8218.exe
- Size
  
  1.5MB
- MD5
  
  8e20ba2f6b7499d6b04745bd9310bc16
- SHA1
  
  8dd4d09c7c26a0922db8779598f5124468130017
- SHA256
  
  9770fde1f1e7fd98bedf06daa29c7451f52ad1719a0d606343846c73b34e8218
- SHA512
  
  66328775ef65b180300a0509dad7851bdf371210e8c8787050c47b55f2018ae16372b0ad8f5ac4019c53d2332d7e46789d3d601ae56249db69800531b5f38742
- SSDEEP
  
  24576:ffmMv6Ckr7Mny5QLvoU2lGCz1RJeW8wt9QKrgjiBrgYSenVtAjXzd06v8P:f3v+7/5QLvovlJewtBrgYDcXPv0
Score

6^/10

discovery spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  App_Dev_Details.xlsm
- Size
  
  70KB
- MD5
  
  246485b057592839c9ecd72a85fe9d39
- SHA1
  
  4cf0ae8960851a0d33801649ea5ce0eeb160a8e1
- SHA256
  
  6132d5fe4e8480e0fd80d842a230e53cb4e47f06bd5b3d5cf87ce0ac4ef464a4
- SHA512
  
  ae4a5e7259142df7ebcd6cdb6fca39c887e6e1e7bad4f585d8d1b587141ecf8493a55e9d3c3ff05a37547dce9ce9085cc3a3229baf3a18e8dd8062ad9e3a4198
- SSDEEP
  
  1536:eyCUk2qI4Deap+fjSCqP533pQp6mPw0MlKOhqVqr/3hGrOVLQ:RRGeCCShP536pdPOlFqVYvhGrO1Q
Score

6^/10

discovery
- Blocklisted process makes network request
behavioral25 behavioral26
- Target
  
  Celery.exe
- Size
  
  17.8MB
- MD5
  
  9456cbd8d57d7a61d899aae79b5ee862
- SHA1
  
  42135056c2f963cb94edeaac23f7c0eed1cde6b3
- SHA256
  
  24e427fe676e2b9ca98c7fc0179ed4c8ee058500072ad645d554ffeb2f072ab6
- SHA512
  
  c71030da342ba2c8d589c3f93e71c54d4578a16587787e0b4b3d97bf5a9bd6c49d282b117f695d27b3438f3affe5fc715cc5f587e6c3e679ea125c0cbfe2c057
- SSDEEP
  
  393216:2qPnLFXlrPmQ8DOETgsvfGF0gK8mvE9cUSdOibq:bPLFXNOQhEtdqFSde
Score

7^/10

upx discovery persistence privilege_escalation spyware stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral27 behavioral28
- Target
  
  a563257161e5c3947e4ea5669e1ef5eafbe67d5049816de47313ada6f299ac10.xlsx
- Size
  
  98KB
- MD5
  
  b8fe6365e4a55cb70d0b9c457a7a7099
- SHA1
  
  da353f9118f9d6c3a6eeea1891a3b8e0e89742d1
- SHA256
  
  a563257161e5c3947e4ea5669e1ef5eafbe67d5049816de47313ada6f299ac10
- SHA512
  
  cc884090cc6a883f58d85940c236e73faa92f27d3a501023264ab844028c75a3dac601218f17f52df46729778e8078bb4a52950a30f4e76b4d18de10b94f1f22
- SSDEEP
  
  1536:4iqHy1S6F8b2SQrEkawpoXIonlwQMlUD5/VHGFht5mGs7Xh2ROvHt0ydYfki:QeFHrE2sIonlwQMl65/VmLIx24m
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  crss.exe
- Size
  
  12.9MB
- MD5
  
  d9ac11dbc44efa13f0563808c1a3a0d4
- SHA1
  
  7cbb463d42d753bf743b64a63e2f23e79ccc5e77
- SHA256
  
  3df7f30e5e00e9b6f89d383d453dc6202cc16e81b1ff79f4cfd360f0fddf01e7
- SHA512
  
  dbae696315da00a4fa2bc06cb9081d842b27742fa228363225ec8889509c578e031d4caf5de267f36bb58be3dbf4298a2ebc3a2d29e00774046a1122c2b8b82b
- SSDEEP
  
  393216:nhZ2YsHFUK2J8DfDg0c6c9g1fk/LBIVYA:hZ2YwUlJ8b0bQkFT
Score

9^/10

discovery persistence
- Contacts a large (2561) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral31 behavioral32