agenttesla

Sharing

General

Target

7ca0acdc3e8b24c2034b2205dbfdf744c903cae7c88b1d09b529991168c05dca
Size

3.5MB
Sample

241121-y6rffaxja1
MD5

f004e11d796513cb3c3a9580c1070c16
SHA1

3a9aaac8ca2ec8765ce3f2d5e270faf87e7d3c24
SHA256

7ca0acdc3e8b24c2034b2205dbfdf744c903cae7c88b1d09b529991168c05dca
SHA512

617e6af68e84c9f8bb0f7965c722b54bcf21e9e2b59008eacb394f6e323ebcf4d69f24f4562eb86b261256fc312a8b2565ac279303cb2ba69cc30cbbb3c44023
SSDEEP

98304:3nCTQW6ZDA0eBPcohegkQhXUQWxo66Z0WpwGIzUaGP+o:3rZy0+ejaXwanZ0WpLIzUaw5

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.topfrozenfoodbrand.com
Port:
587
Username:
[email protected]
Password:
Chukwudim28@
Email To:
[email protected]

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://spa2o.com/H99.jpg

Extracted

Family

xloader

Version

2.5

Campaign

nqni

Decoy

lekitaly.com

heroteas.com

funtique.art

cedarmoonshop.com

greenozon.com

jonescompanysolutions.com

pdxls.com

icreateandcut.com

healthylifeagainnow.com

zhongxinzxpz.top

hotelsaskatchewan.info

louisebeckinsale.net

hivizpeople.com

sanjoseejidillo.com

turnspout.net

suddennnnnnnnnnnn02.xyz

annianzu.icu

webdesigncharlestonsc.com

headrank.agency

bradyiconmusiccenter.com

Targets

- Target
  
  IoC/00496083.xls
- Size
  
  62KB
- MD5
  
  ac50c89f3656c1386a6c43ca01a6156d
- SHA1
  
  5a05155043902ec4b60bfb75e5fa2996b04a806d
- SHA256
  
  ef2cd6b4fd4fbeedc663f59c5196f63338b9f66242230d15f70cdaeba3bfde54
- SHA512
  
  c64162be8857b66c13ae93fac54b392e9c663ec377f572178e7db2953e719b5b8d9c65f192223483c58ac85d97d21cd6024f55bb7658430fc1a94bf96c63f443
- SSDEEP
  
  1536:/IvlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0ylHqfq21PfQBk4MmsiK:/mlYkEIuPm3fNRZmbaoFhZhR0cixIHmE
Score

3^/10

discovery
behavioral1 behavioral2
- Target
  
  IoC/680589798891.xls
- Size
  
  67KB
- MD5
  
  c5901f0f22f4e65d9dfa52cfc7dd3523
- SHA1
  
  b67db8419e593586484c44915f98efe0cc56a991
- SHA256
  
  0faab5c7822aa460690804fe07ad3d40a7fc07667e7034912f22431db65bcb4b
- SHA512
  
  a92332b1e2515889cc13c939b1a372f2799e11d4e595e3199e5579e1c357bff8b3be36641b113916475a7dbb6fc05b8f29f97f2710f04830893f3032938ff924
- SSDEEP
  
  1536:LsQlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0nRDbxsh8xg4aSm1wm3arV5:LhlYkEIuPm3fNRZmbaoFhZhR0cixIHmy
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Consignment Document.pdf.exe
- Size
  
  811KB
- MD5
  
  fbb9230ae2a4ca7f46593ab6789e199f
- SHA1
  
  20aea267228740a622c8eeccc995189b76117f97
- SHA256
  
  546e4de16f4439f9974120fe254e23f348dc5c71f37e92a4d6a55f416f0ac07f
- SHA512
  
  505b52520a496a5b60db11988874c06048fc74386def5bc3692dbf0340ddc544dc22925c299e1ce7f439e51cd28d5b71303d7a5f02adb24a2b66ab4301058080
- SSDEEP
  
  12288:TcUqU55Vko5bNrMNQNg0qlg1lQNp7VADfGDwozGmQ3ouXTleiEmPrAuh8fsQOQXO:OL0jYsGDbzf0j1vDNhisQ/QcV5U
Score

10^/10

agenttesla collection credential_access discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- AgentTesla payload
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  DHL SHIPMENT NOTIFICATION 284748395PD.exe
- Size
  
  923KB
- MD5
  
  5ee25ee3bef6f1109e8e5c8afc529bfb
- SHA1
  
  c42b0a2d659da89cdef6be1cc1e3a2286c451c6b
- SHA256
  
  7fbfbbd33f5401e42301ed5323babb0352aad11f514dba03873e9d1770026d31
- SHA512
  
  0af090a62bd8f176aade2831f89d1f948977d01624747f6a2016b4d414c807b898ac8969d88ee80fb1195f404f19a82919ca20608ff20bfa9bde75e6f6d6412a
- SSDEEP
  
  24576:AEijPd58C2Nse3Sjt5/rCwTwm06geoAj:4rduC2NseiJ5/ewTw6LoAj
Score

10^/10

agenttesla collection credential_access discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- AgentTesla payload
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  EZ0496.exe
- Size
  
  780KB
- MD5
  
  5a67509f3472ff42c3ccfb63fca70b7e
- SHA1
  
  8de5cbf18f1927c218e068831947c6a4ea1cc153
- SHA256
  
  dddc02f397519000994d6ceda5f33e4c4073fa6639c667d2cbaa0b0ee72944d4
- SHA512
  
  2d46cb65214e8ad2b53f413b2f4f2209ad9b739aaa7feffca3920537fa6e5d4b86528706b600260b3f5a296d7a724f5a6442973083dc0f32a17e6e45b16249be
- SSDEEP
  
  12288:r5VkoZUWVp65ZKUqWuRHDoiPkmXW1X5UGoELmfgih5xEu//j:vpW4UqWuhvkj1pUG7mIibT
Score

10^/10

agenttesla collection discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- AgentTesla payload
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  IoC/I055170_06975755.xls
- Size
  
  94KB
- MD5
  
  44bbbdac3334b73c0f8773202d36cc60
- SHA1
  
  26fdaa1de7ea45d1f1b6b2ce5f86ee6e030f308f
- SHA256
  
  ef92e23f3ab74a0babcbd3bb96cedc7883bda95b3dab7b42c0d363ed4b18f535
- SHA512
  
  56ba1da3d1ade5dbfc41a151a75f65ac4ebbc645dd0ed4bce68b76ca00250a0f08167c71a9e391541a086aedc61498b1f7f0cee4ba4cc5bfe524905381860046
- SSDEEP
  
  1536:UsQlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0MokRElmW8bthBHOnMgQvUbwmq:UhlYkEIuPm3fNRZmbaoFhZhR0cixIHm5
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  IoC/I795405_33242211.xls
- Size
  
  94KB
- MD5
  
  44bbbdac3334b73c0f8773202d36cc60
- SHA1
  
  26fdaa1de7ea45d1f1b6b2ce5f86ee6e030f308f
- SHA256
  
  ef92e23f3ab74a0babcbd3bb96cedc7883bda95b3dab7b42c0d363ed4b18f535
- SHA512
  
  56ba1da3d1ade5dbfc41a151a75f65ac4ebbc645dd0ed4bce68b76ca00250a0f08167c71a9e391541a086aedc61498b1f7f0cee4ba4cc5bfe524905381860046
- SSDEEP
  
  1536:UsQlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0MokRElmW8bthBHOnMgQvUbwmq:UhlYkEIuPm3fNRZmbaoFhZhR0cixIHm5
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  New Order 00027748585 02222022.exe
- Size
  
  374KB
- MD5
  
  3a775fc493f5b67eda09eb9ef72dc787
- SHA1
  
  5e395f0621ccca65dccf3a5d55d18d34007784eb
- SHA256
  
  891447d38e98041530423dbe6f025a12dc3202af931d079cfe02af2cdf5dae68
- SHA512
  
  98535d5f28e3bcca2354b0e8f81e3e5d24075ad489c1e9b75ce6b7263083614b54373aa6f2db8d92cf953a0a06d5fd40efcae1d71eef09179f8b4de120c9fc91
- SSDEEP
  
  6144:wNeZGuOwoXx1OQFNuiSfUozTI0qHjEn8cFUekD9UqtJr0iN9s:wNoO9sfXI3jE8cF1A9ZJr0iLs
Score

10^/10

guloader discovery downloader
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Loads dropped DLL
behavioral15 behavioral16
- Target
  
  $PLUGINSDIR/Math.dll
- Size
  
  67KB
- MD5
  
  85428cf1f140e5023f4c9d179b704702
- SHA1
  
  1b51213ddbaedfffb7e7f098f172f1d4e5c9efba
- SHA256
  
  8d9a23dd2004b68c0d2e64e6c6ad330d0c648bffe2b9f619a1e9760ef978207a
- SHA512
  
  dfe7f9f3030485caf30ec631424120030c3985df778993342a371bf1724fa84aa885b4e466c6f6b356d99cc24e564b9c702c7bcdd33052172e0794c2fdecce59
- SSDEEP
  
  1536:GUZ9QC7V7IGMp2ZmtSX5p9IeJXlSM2tS:T97WSth5lwt
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  cff85c549d536f651d4fb8387f1976f2
- SHA1
  
  d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
- SHA256
  
  8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
- SHA512
  
  531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
- SSDEEP
  
  192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  Windows.System.Diagnostics.TraceReporting.PlatformDiagnosticActions.dll
- Size
  
  75KB
- MD5
  
  9e1c426d748e8f7691e892a15d4fafc3
- SHA1
  
  b55d043557171de5b0b65a803f486f3c87863de8
- SHA256
  
  b2b95a50a3d69ffc56ee68a575c0c793d69b8bc367f7f9c4bc33373d03244bbe
- SHA512
  
  aace8fcdc142d1c5c1a77073ceee4c6c0c886cff5e40e6da118e9efc81a288b831ad65759d8de736a09f497c4f0d7475c79a32c030b36910f7555723f8e5a05f
- SSDEEP
  
  1536:XcZ5WRWr1A4fQEvSuK4SeW/1XTXN4omskX4BPUaNMiy6yzSlzCn45+iM4I9oUHJZ:XcZ5Ax4fQEvSuK4z2msRB1+iy6yWRoDp
Score

3^/10

discovery
behavioral21
- Target
  
  systeminfo.exe
- Size
  
  75KB
- MD5
  
  36ccb1ffafd651f64a22b5da0a1ea5c5
- SHA1
  
  dc4ca5bbb894ed8e708bc40129c150c2771f3987
- SHA256
  
  f1e43f167059ff746e200b21ddc55326cd8b3acd7d6bd9c541230db6f8bc63d1
- SHA512
  
  137aed54900dd441e88c388cc61a844b46f1f9e853fe0a29a5530931edd97b90eb4f4a0a6861aa1e3e5c67055a1e5c0ea49380744e5f4818992c7503e6a94627
- SSDEEP
  
  1536:pHJiQWrRyhhyhQBb5qcQLKy94abf2hq04dHc4xiGsTFZ3dxNm9:uruBFq3Ky94p404dHcaiv73dxk9
Score

3^/10

discovery
behavioral22
- Target
  
  wecutil.exe
- Size
  
  75KB
- MD5
  
  cc6fb0a8ab7197d1a0a85b00618924be
- SHA1
  
  78a0878b337c36f7d18005d38cccb6c0d0a2221c
- SHA256
  
  6538b49c984d6c100a969a90f337c158c52ad072d84df746f676176728e74520
- SHA512
  
  380e2ff5c6ca11e499bd8ba46144be6f5e91b5e05330aeecbae52b32dcd4a9dfd90699e388087cb7a2496ab438ec6b89db73a47d9f5d2be4c38ec0ff387b04f1
- SSDEEP
  
  1536:Dqw+kFxE47uKKB3ZYaz17oNAXH8ElX6D7YAnQIdH:Dqw+k3xu/pYazloNi8ElX6vNn
Score

3^/10

discovery
behavioral23
- Target
  
  New order 003848848575 02162022.exe
- Size
  
  6KB
- MD5
  
  ec11df1acf1ce25da6daad0453d92f02
- SHA1
  
  a3eb5d8f63e6f6cc15445002d8deb7be47fd013a
- SHA256
  
  b8043f0e196bc7742dfe211a10481ddf844442a3c135de465494bdd619546ce3
- SHA512
  
  5271f51a9b89e5748e32dfdc1b302d968ecd0085d82cb1a0c1e9b867244599687051f1770798789db4e4fc9591953d4d734f3ab0a2b641fcb989880932ab779c
- SSDEEP
  
  96:WRkWOfaeOVMwsO4JdjC/oI0HIGrqW0zNt:dDBlJJDISIib+
Score

10^/10

defense_evasion
- Blocklisted process makes network request
behavioral24 behavioral25
- Target
  
  PO_#YBIC3892900183902328_Evaluated Copy.exe
- Size
  
  665KB
- MD5
  
  197dd0edaa8b54d0d603e91784c69a40
- SHA1
  
  449a9453eac70fca50a13f372732971372259a53
- SHA256
  
  d8842d4c311c9e35f77ef0ee038f34061be70a55b38f949e0624d32e5a6a4212
- SHA512
  
  6a26fe5947945436aeb50222286fb87886b86ad7db4c447e664a64c673571383430ea1e2ea152f875518e30dc7e563c7aa30f76ef4f343275dcfb4674dea8f8f
- SSDEEP
  
  12288:wqPCYSx1alrmI6WvcmOEgJCegF63A5WfS2x3pxjsf:wqaVIiI6WvcykBzw5Wfd3/j4
Score

3^/10

discovery
behavioral26 behavioral27
- Target
  
  Payment Advice for Outstanding Invoices (2).exe
- Size
  
  621KB
- MD5
  
  2a2d3e7c62d3b3a9e9ef3565f04a2dc5
- SHA1
  
  e4829cc9645d8c2a26929d2f132cf6d0f358a988
- SHA256
  
  c435fcfb3786d573ede77e30ded01503640a4de64523df7e9078cfc572381ced
- SHA512
  
  0226f28426976c5bd064caabea3645062a99e1b1e99e79e4d518c783e208b299534ea9a4d1180bc43651fb1b65f72440382910b7ddf30e57ee4b8c9c9a732871
- SSDEEP
  
  12288:7Zbr8K777777777777TkNdgOG0IzkXh7aolFyiSu61xdEJXouOo0XSLEdigeAaui:7F8K777777777777TiP8EFhmoMst
Score

10^/10

xloader nqni discovery loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral28 behavioral29
- Target
  
  IoC/XSG8996380.xls
- Size
  
  51KB
- MD5
  
  bb5f2b798381cddc1217970139ebf534
- SHA1
  
  b03d6f0690781341dc6ae05d4861687b970b02b3
- SHA256
  
  d2cabc8f6c991af9e19502355e0d5975ca15099e6cec0da0bd6a8e5510253a2b
- SHA512
  
  868e9f97c16ced5409cb7f02db891ecccbded7a0c51baaac3bcdeabc3c8d91a6376589e19ea67f1094ffce0dff38d8787ee919a4fe1ab4daa0135976e19075e6
- SSDEEP
  
  1536:JsQlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0Ks4aIajL+msiV2:JhlYkEIuPm3fNRZmbaoFhZhR0cixIHm3
Score

3^/10

discovery
behavioral30 behavioral31

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Agenttesla family

AgentTesla payload

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

AgentTesla

Agenttesla family

AgentTesla payload

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

AgentTesla

Agenttesla family

AgentTesla payload

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Guloader family

Guloader,Cloudeye

Loads dropped DLL

Blocklisted process makes network request

Xloader

Xloader family

Xloader payload

Checks computer location settings

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31