agenttesla

Sharing

General

Target

8d82945bd5782a593aa632fdb3fe3b651893e434545b8c22e4576b3a2a0248d8
Size

2.5MB
Sample

241121-yrs1qazrdm
MD5

b98cced0400a7424ba4f102b72be2989
SHA1

b8811c5bd4f7168667b51643e09aeb95ae1038c5
SHA256

8d82945bd5782a593aa632fdb3fe3b651893e434545b8c22e4576b3a2a0248d8
SHA512

78ae36787c0caea2e5e2d4092afd60b4cdd426e2e907e72443b7125243c3377fdba8b78c465184ca565e70a48ba440285e7edec0b1d61e82a76e349759c4671f
SSDEEP

49152:hDU90MDkxASNAgPh5hPReQFhZBWXAlTfL0CEuQObLOFq9dVs3ph6:7QkxASygPPe0Ww5LfEuZbZdVspQ

Score

10^/10

Malware Config

Extracted

Family

purecrypter

http://13.231.238.12/dart/IMG1067410252030.png

Extracted

Family

xloader

Version

2.5

Campaign

iepw

Decoy

isabellechiritoiabogada.com

singaporeimpact.com

mdcxdgkr.com

fivestasrelectriccorp.com

apaspaa.com

datashen.com

yh2.space

remediationnews.com

randlesrice.com

mailclic.digital

n83a.com

wmeacc.com

cahuvoa.xyz

h0t-now.com

admtrans.com

yghdlhax.xyz

bakshipping.com

ambermariemusic.com

mandelbot.tech

cryptoassetmanager.xyz

Extracted

Family

warzonerat

hotboy01.ddns.net:4545

Targets

- Target
  
  CATALOGO CAMPIONI2022 IMAGINATON SRL.exe
- Size
  
  984KB
- MD5
  
  08c80c3ab9ea0ebebd24279ef82448d2
- SHA1
  
  cfe0664d25d7ac1d74e4ff3900ea2920d5db7a20
- SHA256
  
  57f0ec5d28d0ee7481e9a465f94bf79fa5d135e9b7d1d1e8b98b70442910c7a6
- SHA512
  
  e286c76b7eb72ab7b410a76114ed08cfc40681938d224378637970e4c46850d665528b8f4454265ff0120416049f4964ac8659783d36879da9103922b1fd20ca
- SSDEEP
  
  12288:ugWW4Tf590cGdmQvItAOSji1NXO2VbRSbJGY0yX9MMNTQ47hjPAWP1e/:uzhTx90cZCqAOv1NBVY0a9MwLhjP1P
Score

10^/10

xloader iepw discovery loader rat persistence
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  IMG1067410252030.exe
- Size
  
  39KB
- MD5
  
  d27638db84894d3fa4935dbdbd5078ff
- SHA1
  
  c2b33647e8db1433e3e7767817e337772923aff2
- SHA256
  
  309c3ea985cf1b4438ded762e48ee09b3699ef020e0f28c76e5c63c34e02af66
- SHA512
  
  c642ef89f09cf8d22a506d9bd23f2c5fdc6e297f586127eae0e7572cc39942955815fb9c40ed53d145fa24fb670ddb78e2d118f29f1c51ef7259116d8bc740c6
- SSDEEP
  
  384:8lOcFdQqiz80LBDl3pf/+BWV9isZ0CM7vliFhXgobglDMcmn6f60wwwwwwwwwwwH:8IkDu9LBjf2BWVwsi7vAfwo/NQs
Score

10^/10

purecrypter discovery downloader loader
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Purecrypter family
  purecrypter
behavioral3 behavioral4
- Target
  
  PO_#YBIC3892900183902328_Evaluated Copy.exe
- Size
  
  665KB
- MD5
  
  197dd0edaa8b54d0d603e91784c69a40
- SHA1
  
  449a9453eac70fca50a13f372732971372259a53
- SHA256
  
  d8842d4c311c9e35f77ef0ee038f34061be70a55b38f949e0624d32e5a6a4212
- SHA512
  
  6a26fe5947945436aeb50222286fb87886b86ad7db4c447e664a64c673571383430ea1e2ea152f875518e30dc7e563c7aa30f76ef4f343275dcfb4674dea8f8f
- SSDEEP
  
  12288:wqPCYSx1alrmI6WvcmOEgJCegF63A5WfS2x3pxjsf:wqaVIiI6WvcykBzw5Wfd3/j4
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  PURCHASE ORDER.exe
- Size
  
  551KB
- MD5
  
  0a1689698e15f2d5a7779a850b46217b
- SHA1
  
  7aeaced0fde2314490aa1c40025d4c10a60efcce
- SHA256
  
  789299ea329d9ab7fcb7043cf50dd4321ae3878c7f8eeb3136b5ed04ce2626e0
- SHA512
  
  4fb7c1317b8ea4a484ab8b8e5b84a2673734f75765af55dda6fd032be21f696a69816b15f13569dd3957897c874a55eeae01ddc09ee5a9f2839cc7e3c9354350
- SSDEEP
  
  12288:NP7r9r/+ppppppppppppppppppppppppppppp0YJwjyHyBK/LWCNyTrz9h74:N1MbTL/wvLU
Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- AgentTesla payload
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  vxrlhg.exe
- Size
  
  170KB
- MD5
  
  80fee08628f07e4a7b845cc50733dacc
- SHA1
  
  01293924c19486df0c778f367bd91570d2a8fe23
- SHA256
  
  1e636514dc1362a291840f1b2752c61c94914061296df098b176956681f14d77
- SHA512
  
  177df61cb33e7fb15b2e9226006871265ea729ca8a2f7ad6f36c6372f6d43171d05bc7821a5bc09e5e215f328414fb0f0e3ecaa0cd39ec5cd970f8515a93e5e7
- SSDEEP
  
  3072:SD1ox12eClvt/E2AVnqybemkYdUY6U+5aau0CcXqxbu:S41DClZQq2uYCpaTH
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  PURCHASE ORDERSR1083004 Al Hitmi Fox Hills Residential MUE0.exe
- Size
  
  411KB
- MD5
  
  b34b6b21968f3ecf91d6c5e7a7aa67a0
- SHA1
  
  635ac67858b846b26569c3c86985f5f125cd11e4
- SHA256
  
  b17273d3677db30df59b70e0584a9e3f6644ef920a2fe6dfdc5518f840e09c06
- SHA512
  
  a20923c02ebf1bd432fe1307dd8dcebdf1f0d998a5d99d38b846089b425b3627c0cf7b754110a33f70ca8ee6015910cde3838b93fd5b0f8c4c7f515fd8f68b99
- SSDEEP
  
  6144:2xDZdVWwAOg5a34TcFyfEUK9vK3+f5Fhaa+IV60HbV1tAtYztD/:WdVYa34VfEUmv/hFYa56+VcCztr
Score

10^/10

warzonerat discovery infostealer persistence rat
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzonerat family
  warzonerat
- Warzone RAT payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral11 behavioral12
- Target
  
  cucacm.exe
- Size
  
  6KB
- MD5
  
  0bb7c6c0a98823d2add4de29846ef777
- SHA1
  
  b4d39b7a0faa45f1892ea4faa4c9fd57977d0fb6
- SHA256
  
  0db9ef4a094cc5597c748c3f83d35287000d1b2519ae092c85f9c5f4ec5cf42a
- SHA512
  
  e69d3df91eee94cb10a0ace66e29c3e66b39df9c8679ad485af5a825d8c052a6d49b6718c9a03920dcd9609b4c0f095542606fc400afe973e596402ba63a7d21
- SSDEEP
  
  96:5hQ5RrFbfZAPfgOJgH3DCOs6Edfq/VhB9oPOoynKx:rQ5PpHzPbE1wQPOoyn
Score

3^/10

discovery
behavioral13 behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Xloader

Xloader family

Xloader payload

Power Settings

Suspicious use of SetThreadContext

PureCrypter

Purecrypter family

Agenttesla family

AgentTesla payload

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unsecured Credentials: Credentials In Files

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

WarzoneRat, AveMaria

Warzonerat family

Warzone RAT payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14