agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

JaffaCakes118_e446bd97230671b6e38682ec9f3da7527c18dbd555efc7f27a52d144cf54edcc
Size

139.9MB
Sample

241229-3awgqszner
MD5

f69be0b5e5b4b203013e7504fd24751e
SHA1

ccb9cedd5ad3f880f9aa8754c0661ae69eed210e
SHA256

e446bd97230671b6e38682ec9f3da7527c18dbd555efc7f27a52d144cf54edcc
SHA512

3615aebd1cdd1eab2adee010210cc0f1f198bcd79d75d0d5c216acd17fefac121cff984c82aa1c580971ce49ffac0e77f54abf8d57622d065b4f38ce857dd7af
SSDEEP

3145728:z5Nl80yN+c3dNlPFXjQnIEf4m3WMdrLJHBnG:z3yd9TnUIEg0a

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

formbook

Version

4.0

Campaign

w9z

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Extracted

Family

gozi

Attributes

build
300869
exe_type
loader

Extracted

Family

gozi

Botnet

86920224

https://sibelikinciel.xyz

Attributes

build
300869
exe_type
loader
server_id
12
url_path
index.htm

rsa_pubkey.plain

serpent.plain

Extracted

Family

smokeloader

Version

2017

http://92.53.105.14/

Extracted

Family

danabot

92.204.160.54

2.56.213.179

45.153.186.47

93.115.21.29

185.45.193.50

193.34.166.247

rsa_pubkey.plain

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://zxvbcrt.ug/zxcvb.exe

exe.dropper

http://zxvbcrt.ug/zxcvb.exe

Targets

- Target
  
  1.bin/1.bin
- Size
  
  12.5MB
- MD5
  
  af8e86c5d4198549f6375df9378f983c
- SHA1
  
  7ab5ed449b891bd4899fba62d027a2cc26a05e6f
- SHA256
  
  7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
- SHA512
  
  137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
- SSDEEP
  
  393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r
Score

10^/10

agenttesla dharma formbook gozi raccoon 86920224 w9z agilenet banker cryptone defense_evasion discovery execution impact keylogger packer persistence ransomware rat rezer0 rm3 spyware stealer trojan danabot botnet evasion
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot family
  danabot
- Danabot x86 payload
  Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
  botnet
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer V1 payload
- Raccoon family
  raccoon
- AgentTesla payload
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  2019-09-02_22-41-10.exe
- Size
  
  251KB
- MD5
  
  924aa6c26f6f43e0893a40728eac3b32
- SHA1
  
  baa9b4c895b09d315ed747b3bd087f4583aa84fc
- SHA256
  
  30f9db1f5838abb6c1580fdfb7f5dcfd7c2ac8cfac50c2edd0c8415d66212c95
- SHA512
  
  3cb6fd659aff46eaa62b0e647ccebeecb070ba0bb27e1cc037b33caf23c417e75f476e1c08e1b5f3b232c4640995ae5afa43bfd09252d318fe5eec0d18de830a
- SSDEEP
  
  6144:2E5sHpScP2xeQhp4wGoqPKNDF50AsurB:PsHIiQv4gBNDFiTuF
Score

10^/10

smokeloader backdoor discovery trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  31.exe
- Size
  
  12.5MB
- MD5
  
  af8e86c5d4198549f6375df9378f983c
- SHA1
  
  7ab5ed449b891bd4899fba62d027a2cc26a05e6f
- SHA256
  
  7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
- SHA512
  
  137f5a281aa15802e300872fdf93b9ee014d2077c29d30e5a029664eb0991af2afbe1e5c53a9d7bff8f0508393a8b7641c5a97b4b0e0061befb79a93506c94e1
- SSDEEP
  
  393216:oKzkshyIMtAcwzhQ/CceAocPwz3fwnjWKlDc8F6tB:BzkmSmzS/Be/cPquj7D36r
Score

10^/10

agenttesla dharma formbook gozi 86920224 w9z agilenet banker collection credential_access cryptone defense_evasion discovery evasion execution impact keylogger packer persistence ransomware rat rezer0 rm3 spyware stealer trojan danabot botnet
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot family
  danabot
- Danabot x86 payload
  Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
  botnet
- Dharma
  Dharma is a ransomware that uses security software installation to hide malicious activities.
  ransomware dharma
- Dharma family
  dharma
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- Gozi
  Gozi is a well-known and widely distributed banking trojan.
  banker trojan gozi
- Gozi family
  gozi
- AgentTesla payload
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Formbook payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Renames multiple (99) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Blocklisted process makes network request
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  3DMark 11 Advanced Edition.exe
- Size
  
  11.6MB
- MD5
  
  236d7524027dbce337c671906c9fe10b
- SHA1
  
  7d345aa201b50273176ae0ec7324739d882da32e
- SHA256
  
  400b64f8c61623ead9f579b99735b1b0d9febe7c829e8bdafc9b3a3269bbe21c
- SHA512
  
  e5c2f87923b3331719261101b2f606298fb66442e56a49708199d8472c1ac4a72130612d3a9c344310f36fcb3cf39e4637f7dd8fb3841c61b01b95bb3794610a
- SSDEEP
  
  196608:8YG+5pO1Ppb1rAMQQkIscfAb3mO5iW8uO2Kq1TIxz2HU6QPXJ0M2m9b/hE4:8/Bv1zsG2fm2bTcWBIXJHVrW4
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
- Size
  
  669KB
- MD5
  
  ead18f3a909685922d7213714ea9a183
- SHA1
  
  1270bd7fd62acc00447b30f066bb23f4745869bf
- SHA256
  
  5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
- SHA512
  
  6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
- SSDEEP
  
  6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL
Score

7^/10

discovery persistence upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral10 behavioral9
- Target
  
  Archive.zip__ccacaxs2tbz2t6ob3e.exe
- Size
  
  430KB
- MD5
  
  a3cab1a43ff58b41f61f8ea32319386b
- SHA1
  
  94689e1a9e1503f1082b23e6d5984d4587f3b9ec
- SHA256
  
  005d3b2b78fa134092a43e53112e5c8518f14cf66e57e6a3cc723219120baba6
- SHA512
  
  8f084a866c608833c3bf95b528927d9c05e8d4afcd8a52c3434d45c8ba8220c25d2f09e00aade708bbbc83b4edea60baf826750c529e8e9e05b1242c56d0198d
- SSDEEP
  
  6144:vU9Q9tD5WuDQa4t3BMgLkzvCOnYxcEaSAOPou8BWinO8DR:8Q9tD5WyQlBBVAnYxRhr8DR
Score

8^/10

discovery
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral11 behavioral12
- Target
  
  CVWSHSetup[1].bin/WSHSetup[1].exe
- Size
  
  898KB
- MD5
  
  cb2b4cd74c7b57a12bd822a168e4e608
- SHA1
  
  f2182062719f0537071545b77ca75f39c2922bf5
- SHA256
  
  5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed
- SHA512
  
  7a38be8c1270b1224be4975ad442a964b2523c849f748e5356156cdce39e494c64ca80b0d99c1d989d77f072902de8972e0b113894c9791fb0cabf856dbba348
- SSDEEP
  
  12288:vI3h+hoVEZnvy/hF4CMWZrU7S/iAfMIItotPP2rbPCrF7:vu+hIE9BYO7S/iAOtc4be
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  DiskInternals_Uneraser_v5_keygen.exe
- Size
  
  12.9MB
- MD5
  
  17c4b227deaa34d22dd0addfb0034e04
- SHA1
  
  0cf926384df162bc88ae7c97d1b1b9523ac6b88c
- SHA256
  
  a64f6d4168bbb66930b32482a88193c45d8aae6af883714d6688ed407e176a6e
- SHA512
  
  691751cf5930563fc33aa269df87284ef5d69ae332faed3a142529babd988c54ec86a3517ea2e71373491bbb39962e801feb731e1d564c7294ae517b754ffc0c
- SSDEEP
  
  196608:zGeHGoZMYsFL0NBneaD/TuEIp8TnWh5bpe0RCQElmYzD9gXYToUdYZF0Nz6AV:yKGDYsdUBnTHLIpWnUeXQeEXU6s
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  ForceOp 2.8.7 - By RaiSence.exe
- Size
  
  1.0MB
- MD5
  
  0a88ebdd3ae5ab0b006d4eaa2f5bc4b2
- SHA1
  
  6bf1215ac7b1fde54442a9d075c84544b6e80d50
- SHA256
  
  26509645fe956ff1b7c540b935f88817281b65413c62da67e597eaefb2406680
- SHA512
  
  54c8cde607bd33264c61dbe750a34f8dd190dfa400fc063b61efcd4426f0635c8de42bc3daf8befb14835856b4477fec3bdc8806c555e49684528ff67dd45f37
- SSDEEP
  
  24576:sAOcZ1SxlW2YT6EtAcl0URqqqUeiG3STJq3n:64SK2YT6E1l0EqqqU1GwcX
Score

7^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
behavioral17 behavioral18
- Target
  
  HYDRA.exe
- Size
  
  2.6MB
- MD5
  
  c52bc39684c52886712971a92f339b23
- SHA1
  
  c5cb39850affb7ed322bfb0a4900e17c54f95a11
- SHA256
  
  f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d
- SHA512
  
  2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b
- SSDEEP
  
  49152:HnUXzRe4cjAx+L/G/3JHQZutOnmSzZniyui0EJHezdcc/DK9kTO1S:HUD8djA0LOvJdtOmSlniyuiPFePmS61S
Score

10^/10

smokeloader backdoor discovery persistence trojan
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Smokeloader family
  smokeloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral19 behavioral20
- Target
  
  #/power.exe
- Size
  
  507KB
- MD5
  
  743f47ae7d09fce22d0a7c724461f7e3
- SHA1
  
  8e98dd1efb70749af72c57344aab409fb927394e
- SHA256
  
  1bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465
- SHA512
  
  567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf
- SSDEEP
  
  12288:0nMyjYPYhJDDNo6YdXTVq/ywZE8ktb/3o0:ppPEDDy68Yp+8k9/3T
Score

1^/10
behavioral21 behavioral22
- Target
  
  #/sant.exe
- Size
  
  12KB
- MD5
  
  5effca91c3f1e9c87d364460097f8048
- SHA1
  
  28387c043ab6857aaa51865346046cf5dc4c7b49
- SHA256
  
  3fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907
- SHA512
  
  b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0
- SSDEEP
  
  192:I0EFK6COuHNlcW/1bXMvP8trt2mS3+dlRXwaziCP4kAIschKp0jeaJYrIC+sD:I0m/50t9bGPMrXSyGCP4kA6LyrIle
Score

1^/10
behavioral23 behavioral24
- Target
  
  #/ufx.exe
- Size
  
  272KB
- MD5
  
  4ccfdd49dbab092a4cc7b650372c4f91
- SHA1
  
  e842881fd09001a871e737c816f5c3d11ea45448
- SHA256
  
  dc7ee8b1ffec35c19e1e767265c1b40e6eb6af51157eaa8b05d51329697d16fa
- SHA512
  
  ebb8e34a991809094a7e1e28135ef4e81ff4681d6e4afbb7caa2fc4093a3461eecc63b1171ae3f8da9c182d2ee68825fb50cbf7080b704d284feca07acd1b63e
- SSDEEP
  
  6144:ma4InuJg58BkgqPoDH49n8Bb/c2aXZGjQ//rAsDGf83wlUY:mat0EAH49n8BQGYtyfiwln
Score

1^/10
behavioral25 behavioral26
- Target
  
  #/va.exe
- Size
  
  88KB
- MD5
  
  c084e736931c9e6656362b0ba971a628
- SHA1
  
  ef83b95fc645ad3a161a19ccef3224c72e5472bd
- SHA256
  
  3139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1
- SHA512
  
  cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f
- SSDEEP
  
  1536:k6qvIQATBG8PT6vx3a1JKG8Z8YavU2apUsLLcIbw3PsjQ4YIeuPlP9:MIFTf23eJK9Z8YavLapUsLLcIU3pIeu/
Score

1^/10
behavioral27 behavioral28
- Target
  
  Keygen.exe
- Size
  
  849KB
- MD5
  
  dbde61502c5c0e17ebc6919f361c32b9
- SHA1
  
  189749cf0b66a9f560b68861f98c22cdbcafc566
- SHA256
  
  88cad5f9433e50af09ac9cad9db06e9003e85be739060b88b64186c05c0d636b
- SHA512
  
  d9b8537f05844ec2f2549e2049e967a8023bfe432e3a9cf25fc0f7ad720e57a5830be733e1812cc806c5b68cd9586a031e394f67fc7e3f7fe390625fd5dedfbb
- SSDEEP
  
  24576:uSdQdKdRdOdHdmHBnWs/nROBiGR4+hazer+Vufo/JxBYQ5:hH9DnR1Z+45Ufo/PBL
Score

10^/10

discovery execution
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
behavioral29 behavioral30
- Target
  
  Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
- Size
  
  13.4MB
- MD5
  
  48c356e14b98fb905a36164e28277ae5
- SHA1
  
  d7630bd683af02de03aebc8314862c512acd5656
- SHA256
  
  b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c
- SHA512
  
  278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b
- SSDEEP
  
  196608:t7JG5fYHJl9nhdOvPuAZxFa9dfoyG5euyHvf97+pbgEtBRNBL1LFWIHWdgku7:t7BXWGldf+Au6VGBjFmJq
Score

3^/10

discovery
behavioral31 behavioral32