agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

031527224e74b82bf16e639c666134674ecc8a6e648fed2f68255617bd6a3b18
Size

21.7MB
Sample

241121-zhn6vasjcn
MD5

a9460cbeecd230ffdb2c22ae81409572
SHA1

8bb274360ff935d945b2a899fe9dc304e5c0a290
SHA256

031527224e74b82bf16e639c666134674ecc8a6e648fed2f68255617bd6a3b18
SHA512

efd0f21fd9e24225d240c74b03ba2ac734e47ebfc47c74e69fed6d77cebfe42a9838a54822d8de5e0cbba9daff6909ac4484f779d3842a156451a3eebc5a0a10
SSDEEP

393216:r2flKxdMPPVBLFH/gF51yAyxv6DLYJhMhD7lHs/lKLX1JwmGGyfj1OQZ2hG9j:ragxE7glyHv6DLnhXlMdKLXImGPfhOQd

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

synv

Decoy

hareemshareem.com

aromaticus.club

sakabay.com

ebtedaieeduone.com

goodyertirerebate.com

mehmeterdas.com

everestjsc.com

eqtclub.com

ahlcide.ovh

snifu.com

grinabrasive.info

ijustwannablog.com

eng-in-use.com

mo-ip.group

beautynblackbody.com

presto-eng.info

jarah24.com

marigoldbrewery.com

onpointcomprasbrasil.com

cdrh-consultores.com

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
mail.dm-teh.com
Port:
587
Username:
[email protected]
Password:
Vm@(O;CO.vEQ

Extracted

Family

remcos

Version

3.1.4 Pro

Botnet

RemoteHost

elninotronics.com:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-E8E8J7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Extracted

Family

bitrat

Version

1.38

185.244.30.28:4898

Attributes

communication_password
58d566f77fed2099674f84e99ed222a8
tor_process
tor

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

xloader

Version

2.3

Campaign

m6b5

Decoy

ixtarbelize.com

pheamal.com

daiyncc.com

staydoubted.com

laagerlitigation.club

sukrantastansakarya.com

esupport.ltd

vetscontracting.net

themuslimlife.coach

salmanairs.com

somatictherapyservices.com

lastminuteminister.com

comunicarbuenosaires.com

kazuya.tech

insightlyservicedev.com

redevelopment38subhashnagar.com

thefutureinvestor.com

simplysu.com

lagu45.com

livingstonpistolpermit.com

Extracted

Family

formbook

Version

4.1

Campaign

vd9n

Decoy

theunwrappedcollective.com

seckj-ic.com

tyresandover.com

thetrophyworld.com

fonggrconstruction.com

hopiproject.com

sktitle.com

charlotteobscurer.com

qjuhe.com

girlzglitter.com

createmylawn.com

hempcbgpill.com

zzdfdzkj.com

shreehariessential.com

226sm.com

getcupscall.com

neuralviolin.com

sanskaar.life

xn--fhqrm54yyukopc.com

togetherx4fantasy5star.today

Extracted

Family

xloader

Version

2.3

Campaign

weni

Decoy

sdmdwang.com

konversationswithkoshie.net

carap.club

eagldeream.com

856380585.xyz

elgallocoffee.com

magetu.info

lovertons.com

theichallenge.com

advancedautorepairsonline.com

wingsstyling.info

tapdaugusta.com

wiloasbanhsgtarewdasc.solutions

donjrisdumb.com

experienceddoctor.com

cloverhillconsultants.com

underwear.show

karensgonewild2020.com

arodsr.com

thefucktardmanual.com

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.badonfashoin.com/
Port:
21
Username:
[email protected]
Password:
kKsIA9XNV2zG

Targets

- Target
  
  Order.exe
- Size
  
  184KB
- MD5
  
  b48a1b6628f1f941e506d15013a72619
- SHA1
  
  4d6a9fb6ad5aa1b53440c2eb0806602fc164b0a2
- SHA256
  
  cf540119b481ff1a73efd8f50bc5942faaa46e79f9cb78d06b2b993ef4c921a4
- SHA512
  
  c74f5fb663cd9e34c234a78884a30399825ed4211d5c1a795bebc6fa2546ae02ba9ddf24e648fd251ac5a265131cd645855483aeb411892367858ac2a571f6be
- SSDEEP
  
  3072:LizuMU66n2qcHf29Twf8uDiy88V2Sx5Ci8LBNaP08uxcRqqHq0cS0Gf3RMlyPrsD:lM+Me9cfBDiy8i20HunvxcRHqfGlov+M
Score

5^/10

discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  төлем туралы есеп#454326_PDF.exe
- Size
  
  899KB
- MD5
  
  8ffb5b1aba6759d623f20a9744de4dd0
- SHA1
  
  969a580a9e874f8e5a38d7fb4db664be1aa35ce5
- SHA256
  
  8674688f673421c41dd39734f690c3b1b0aa8aceb5adeb057cf8b21d8f2e41a6
- SHA512
  
  3713871db07036eca5846ca681432e63dbf1951a47186c1f8458a3395da57b53ab796f5b44025bb277cb6f281fecf401d090bc8618fa72b9ea20fce8991a538c
- SSDEEP
  
  12288:PNVCqo8zTyvUIZbVlBPI2VBPpZ9SgkVJNoH6tm8EblyuVYvv/zzbVgnQe:0vDBlBPIOBPHsl7Q6tm7blmv/nbO
Score

10^/10

formbook vd9n discovery rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Formbook payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  87597.exe
- Size
  
  704KB
- MD5
  
  7e19235ca4a6192bdace52baa0a40d26
- SHA1
  
  1ac8aa96052b0da4f7d1072ca8fee01ade2e9f71
- SHA256
  
  ed762437d06ffae4d27baec39379997d8acf7ae6e6e758611793f3fb2fafcee1
- SHA512
  
  a67be81bf2487babe021184427d47004791fca072b93ea61efa40d81680132ffcbd96cd78a00a8f316be50d5308ce1d5f2b29dc19be32e91a74a65a63c7705a0
- SSDEEP
  
  12288:l3MyvUIZbVWX7Q6cgNMuAx206pm2MGydGcHazvuHw3ItoaI43JYLh2ADli:5TvDBW3cEaeMGpcHazv0tV/OLh2ADl
Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- AgentTesla payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670
- Size
  
  2.5MB
- MD5
  
  20f44573ee6dea2e3b5935c6b1b979db
- SHA1
  
  4c7429743c92dddb6929931585de25eebf1792cb
- SHA256
  
  29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670
- SHA512
  
  8c96de16c6cf01b351eff07585c0063167f9d1695510b2a1701ced7fd45aa8c34d101d5cc1e785306daf6c9f4ab9fedd7898608b92468f9483ce44637015aa0b
- SSDEEP
  
  49152:rUy6Rw/xG6ds61Yt0E1EgivHgYkYU06z:8Rw/xG073vH0Y
Score

7^/10

credential_access discovery spyware stealer
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral7 behavioral8
- Target
  
  2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e
- Size
  
  887KB
- MD5
  
  040cca91f06819461187ad57faa81f30
- SHA1
  
  51b4261aa8c7a475ca9223d4dfddc19a2720096f
- SHA256
  
  2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e
- SHA512
  
  b95e41af609572c7e1de13f03abc9779b00cbc7fc4587345ad1a6259baec08a82e11d8e66e02f11049946dcef6620dcc50d9d9fa120e476eb571698718e4bc80
- SSDEEP
  
  12288:ybL3+yvUIZbVlBPI2VBPicnA6dLviSv8PLpSaeFzLyeSXmOpgfm3Q+:yb5vDBlBPIOBPtnfdLaSEzpwzyXpqe
Score

10^/10

xloader synv discovery loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  RICHIESTA DI OFFERTA.exe
- Size
  
  236KB
- MD5
  
  73bb5c4b690b8d6df88d6bc18fb3a553
- SHA1
  
  60adddd91b6038fc9d819cf6d647ce3be0b11d38
- SHA256
  
  a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66
- SHA512
  
  9c023dc66d9bcfb2f5bc0274001d92948ac058fc8765d2178907dfd8fb9885ede57acc3836d583ad97516dce1a97c50f081800b41a1f42ea938efb8b23e87567
- SSDEEP
  
  3072:+3BepJlZa/xao5JKwI7V4R4iUW/qcijw2HJlZapGBR:EiUIo5JKPgU99vHP
Score

10^/10

guloader discovery downloader
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
behavioral11 behavioral12
- Target
  
  39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c
- Size
  
  846B
- MD5
  
  351b843f627dad02a1e21178f29b59ab
- SHA1
  
  801db68232be9a0d7b89a834a18d0d1ecf4cdeea
- SHA256
  
  39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c
- SHA512
  
  9c3adc2f1251223b1e0dd1ce983dcb0e4a86c5b3abc7880b4028b1e5d9e8d9c59a394e2b0638eaea2aa9dd84c2d49a0ff775a1558bcfee4c3c9443481d0c46a0
Score

3^/10

execution
behavioral13 behavioral14
- Target
  
  3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b
- Size
  
  1.1MB
- MD5
  
  1ee5c7e3b59f02fef1b0f793d2196afd
- SHA1
  
  3f1a1ce12dec33f946079a532ccda8e0c72f2c7c
- SHA256
  
  3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b
- SHA512
  
  0d106c3451f88ed8f27abe47917c4ba4b25706df623f3a0879c5a67c09a269a48b35b94ca25fc2cb7447be75a7e05cbf5464f4c1aff80224c20f263d321387be
- SSDEEP
  
  24576:1kcNn8Y5TrvvDB/mF1BVB/9ogBzVf/ppYbItJ4Rvk7xz:l5TrTcBVl9BTpTrV
Score

10^/10

blustealer discovery stealer
- BluStealer
  A Modular information stealer written in Visual Basic.
  stealer blustealer
- Blustealer family
  blustealer
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec
- Size
  
  35KB
- MD5
  
  99551779549809d289d12efa5ac43e4e
- SHA1
  
  66b5b7aa0264b12e24f37388330a60991de3146a
- SHA256
  
  53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec
- SHA512
  
  46c3e62d314c028ff812d299ed54e0cc8602422d462d58e35a1ea92b020cddb1700cfb91f339729b4018cd3cac7eb2268c5e0d5599f6a15f21d663626e2a2afe
- SSDEEP
  
  768:RQI4+orqJGPvcK/kmG+1mAaElNZuw3/9WmEyhqbaWB:6FKJGsgkm/mABlNZ//cmnhqt
Score

10^/10

mirai botnet
- Mirai
  Mirai is a prevalent Linux malware infecting exposed network devices.
  botnet mirai
- Mirai family
  mirai
behavioral17
- Target
  
  632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1
- Size
  
  9.3MB
- MD5
  
  aaa839e4993c07fdfba45afe8826d6bf
- SHA1
  
  3d00bce50c92b31c3d74d20c5451aedc6878a246
- SHA256
  
  632cfc71bd4734fdd98e48166a52fbc4a48d43640f3375fd882dd374479bffb1
- SHA512
  
  e3bca0a028a39e602b093069fb84a84ff13d7451ebaaf05dc127aa061ae7d096460133a3b8d726adedafd1dd08d09621197bf9e8747ac622bfedd909dec6f3cc
- SSDEEP
  
  98304:IydePKsBylarg6bY/J1ZKbTsBylarg6bY/J1ZKb2ayX0I6:IHisB2Eb01ZssB2Eb01Z820X
Score

10^/10

discovery remcos remotehost rat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- Executes dropped EXE
- Loads dropped DLL
behavioral18 behavioral19
- Target
  
  685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03
- Size
  
  2.2MB
- MD5
  
  9882d9bb0a03a191d8ba9b4bc9c254c5
- SHA1
  
  23bbe2b78cfb4d2c1232fb48bda0dc1ea30222d6
- SHA256
  
  685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03
- SHA512
  
  c3d683b765eb78dd21105096da079720a4b3abf717cb170b88059e900bd3749caf8002f125e7a0d6e4be2f4f703a5267d951af565eb4ba2a635d0233a8fdb6cc
- SSDEEP
  
  49152:AknKa6MMOFqbdx14d2RjbWk0nUt0LrOmJwHL0leN3vkPZ:j4OAxxK2R+UaEQ8kP
Score

10^/10

discovery execution bitrat trojan
- BitRAT
  BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
  trojan bitrat
- Bitrat family
  bitrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral20 behavioral21
- Target
  
  6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
- Size
  
  4.6MB
- MD5
  
  eaee663dfeb2efcd9ec669f5622858e2
- SHA1
  
  2b96f0d568128240d0c53b2a191467fde440fd93
- SHA256
  
  6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2
- SHA512
  
  211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3
- SSDEEP
  
  49152:U8+7QhuKuy4ab57x03AFPd96gUyeBW51fN4AsYfW4sAMnB4jt40bjqkNQU1:U8puFyft
Score

10^/10

servhelper backdoor defense_evasion discovery execution exploit lateral_movement persistence trojan upx
- ServHelper
  ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
  trojan backdoor servhelper
- Servhelper family
  servhelper
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- Remote Service Session Hijacking: RDP Hijacking
  Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
  lateral_movement
- Blocklisted process makes network request
- Indicator Removal: Network Share Connection Removal
  Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
  defense_evasion
- Modifies RDP port number used by Windows
- Possible privilege escalation attempt
  exploit
- Server Software Component: Terminal Services DLL
  persistence
- Loads dropped DLL
- Modifies file permissions
  discovery
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral22 behavioral23
- Target
  
  73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0
- Size
  
  835KB
- MD5
  
  7c81e999e91d1d0f772010dfa4c34923
- SHA1
  
  76caadc92346688b50a408b6c48017563a24844f
- SHA256
  
  73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0
- SHA512
  
  ee5777aafc4b568465b85322ba6ffcf0a38ecadde6274a2e4fdf440cf2ea061762a4b07eeb9a5b40b61d8bf3dab91871715bc5e64da74768f0be342b1f79ae27
- SSDEEP
  
  12288:8BzZm7d9AZAYJVB7ii/XAvKxRJBnwvogSJ4M4G4aBgZ7u/8u5DGDt2:ucneJVBvXAvwRJdwvZ5aGzu5DGR2
Score

3^/10

discovery
behavioral24 behavioral25
- Target
  
  Inv_7623980.exe
- Size
  
  829KB
- MD5
  
  b20d9ced5d063ec28425551a520ac59d
- SHA1
  
  f6bfd3346ed28ef6ed5e45d89f6b1f89d8296b0f
- SHA256
  
  3ad516ed1d59d2a83e03dd014de474999c1d20885639cd2f77c1108c636636df
- SHA512
  
  2bbfa0ab4ef7132e5740e54d1fcacb35fdbea4a89b5208f42b4660377f5e18f7a09cad7c589d3a1c3b02d06228ba8b3cb02d6f32b0fcf18b71f23c0e367c48d4
- SSDEEP
  
  12288:sJzJBoc+ZPzbmhJP8jA+09+Ny6UMZET3jcqd+lHLN3BwspCVad5+v991DqGTR:sjec+ZPzbmf8jFNu4ETQqwtBw
Score

10^/10

xloader m6b5 discovery loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Suspicious use of SetThreadContext
behavioral26 behavioral27
- Target
  
  8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8
- Size
  
  1KB
- MD5
  
  c3bc357d17e8b2403ce323807e75911a
- SHA1
  
  4b37b7afbadab1bbdac7e43fb283f7180e47ea1d
- SHA256
  
  8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8
- SHA512
  
  463b9dd8f7d8006ec0f28b9383357904b3caeeaf1792e1127be011b20f1ee0c49ca422c4ed7fbfed60fad83bfff5d6728da43e68b4863d6032b7866e162b9c86
Score

8^/10

execution
- Blocklisted process makes network request
behavioral28 behavioral29
- Target
  
  USD $.exe
- Size
  
  1.0MB
- MD5
  
  7098068c07032900ff073b55a8ad8e0b
- SHA1
  
  5bdda0bc06b935689f29d55b297d0523d82c6bfa
- SHA256
  
  2d7aac32ea8a8329262ead70ec2f030c1a4061e4edafdf03e605bb9ce606836e
- SHA512
  
  c5568a37cd6cfa600af5742acd1143d434035e2b5d7caa515ccbf182c6f72030e28a3562ee9f5e9341bcc5aeef45f498434fb8ff6835bc07c04220440d0aaf39
- SSDEEP
  
  12288:WA72Z5kzykTvNYf3ACtYKWBAZcQEuanCJ4ZTuWnCT2EypSTU0KfOgzUhr2X0GSGl:WAaZ5k7TvqfwCqiZ9149O21FCWZ
Score

10^/10

xloader weni discovery loader rat
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- Xloader payload
  rat
- Suspicious use of SetThreadContext
behavioral30 behavioral31
- Target
  
  91d079d9371fa53227e4bb2207ba4d3aa4733feee607773b696779c5e87846b9
- Size
  
  400KB
- MD5
  
  315c3439a84941a3da05b9b09752dd5f
- SHA1
  
  ef24cc39f3f75c879d819480831541f12273f9f0
- SHA256
  
  91d079d9371fa53227e4bb2207ba4d3aa4733feee607773b696779c5e87846b9
- SHA512
  
  78229f409f4cdf93b87153325e37460855363eac92a84193d5aa82a6121c538d89e77c0da0dac977fbe3f8dc43482f560831ce2384e68268c8c99beb1d71d4ff
- SSDEEP
  
  6144:gFLtM1nJIDQx2L2RCo0iRdd21gloXpSFyLbSp13XsfN1/QH5s1mkbK4f4OxoWts4:EOLIyRn0ivdVlCSFlp1383wsmC4VplY1
Score

1^/10
behavioral32