agenttesla

General

Target

New_Order_PO_GM5637H93.exe
Size

2.7MB
Sample

241202-h44d8avndz
MD5

181d1f4b2a81a394496d18ac24a00bfe
SHA1

2ded294c88299de16004433359748c0422bae330
SHA256

06150e8a137191d9513d89883efb3e0d3abe5839682c8340f4c4288e13b3b8bf
SHA512

397d78813a53949364440dedf1a9f3551ca5700b0ded182bb009a9cd5b824614884905e706c959f92feaa8738cca81fd115cafedd18056eb0469368f497730e7
SSDEEP

12288:VpoDtmdTXqQ0hS8dRwyD+zWC0hj3BoIO/R7n4fN/ylZMs+Ury8y:Vyx2l0h9zx+aC0p3SlZ74wZp+18y

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759
Email To:
[email protected]

Extracted

Family

redline

Botnet

FOZ

C2

212.162.149.53:36014

Targets

- Target
  
  New_Order_PO_GM5637H93.exe
- Size
  
  2.7MB
- MD5
  
  181d1f4b2a81a394496d18ac24a00bfe
- SHA1
  
  2ded294c88299de16004433359748c0422bae330
- SHA256
  
  06150e8a137191d9513d89883efb3e0d3abe5839682c8340f4c4288e13b3b8bf
- SHA512
  
  397d78813a53949364440dedf1a9f3551ca5700b0ded182bb009a9cd5b824614884905e706c959f92feaa8738cca81fd115cafedd18056eb0469368f497730e7
- SSDEEP
  
  12288:VpoDtmdTXqQ0hS8dRwyD+zWC0hj3BoIO/R7n4fN/ylZMs+Ury8y:Vyx2l0h9zx+aC0p3SlZ74wZp+18y
Score

10^/10

agenttesla redline xworm foz collection discovery evasion execution infostealer keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Detect Xworm Payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2