agenttesla

Resubmissions

12/03/2025, 21:32

250312-1dmynatxey 10

11/03/2025, 16:10

250311-tmgdxaxnx4 10

06/03/2025, 02:30

250306-cze8yav1az 10

Sharing

Copy URL

Twitter E-mail

General

Target

bluestealer.rar
Size

5.6MB
Sample

250312-1dmynatxey
MD5

a90f4f14fd13ca22cfeb32127493bb3c
SHA1

680a9f3b7d74575cdd91f461e9e2b47c10e5c79c
SHA256

ee66a185008549b9ca0c687a78aa6a69e4770dd12cab9dc63d5346c1f570904b
SHA512

69fee2468fdb90e4dfebe18dd90f040be372a8d7c35f049d1f594c4f6ec37a7bb9fb8f2c847114e315b214e823d3921d4260b3770628903a875a8b9fbb270a66
SSDEEP

98304:xIb3rOEojkouUyLJ/IIDwOMTwKoD+ORWkt78cZfHKDDFaWI5Sz3ptM9b3Pd4g6wx:izaEJvD0WD+OP8QfqmSz3pt2zV4g6SmC

Malware Config

Extracted

Family

redline

Botnet

@Baobabss

185.230.143.48:14462

Extracted

Family

redline

Botnet

@tupa187

185.230.143.48:14462

Extracted

Family

formbook

Version

4.1

Campaign

o4ms

Decoy

fishingboatpub.com

trebor72.com

qualitycleanaustralia.com

amphilykenyx.com

jayte90.net

alveegrace.com

le-fleursoleil.com

volumoffer.com

businessbookwriters.com

alpin-art.com

firsttastetogo.com

catofc.com

ref-290.com

sbo2008.com

fortlauderdaleelevators.com

shanghaiyalian.com

majestybags.com

afcerd.com

myceliated.com

ls0a.com

Extracted

Family

asyncrat

Version

4.0.0.0

Botnet

Default

2.56.59.227:8081

2.56.59.227:8082

2.56.59.227:8083

Mutex

Mutex_21687213

Attributes

delay
5
install
false
install_file
example.exe
install_folder
%AppData%

aes.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.boydsteamships.com
Port:
587
Username:
[email protected]
Password:
co*tNjEBt4

Extracted

Family

xloader

Version

2.5

Campaign

mjyv

Decoy

wenyuexuan.com

tropicaldepression.info

healthylifefit.com

reemletenleafy.com

jmrrve.com

mabduh.com

esomvw.com

selfcaresereneneness.com

murdabudz.com

meinemail.online

brandqrcodes.com

live-in-pflege.com

nickrecovery.com

ziototoristorante.com

chatcure.com

corlora.com

localagentlab.com

yogo7.net

krveop.com

heianswer.xyz

Extracted

Family

redline

Botnet

@l_Like_a_Sir_l

185.230.143.48:14462

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

iphy.strangled.net:1604

gpmaw.duckdns.org:3040

gpmaw.duckdns.org:2020

gpmaw.duckdns.org:4040

hpdndbnb.duckdns.org:3040

hpdndbnb.duckdns.org:2020

hpdndbnb.duckdns.org:4040

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

@chucoed

185.230.143.48:14462

Extracted

Family

revengerat

Botnet

NyanCatRevenge

hpdndbnb.duckdns.org:2404

Mutex

90a49aa7c27647e

Extracted

Family

azorult

https://guifenergy.co.ke/bin/32/index.php

Extracted

Family

xloader

Version

2.5

Campaign

qs23

Decoy

alimentosafc.com

noveltyporpak.xyz

fleteszoom.com

crabcompanions.com

metumuskfinance.com

perfectwatch.store

thweddingstory.com

ameliasongsforever.com

enowrecords.com

mywebcrown.com

silianceconseil.com

moodoven.com

generalwholesalestore.com

laguiza.com

gionakpil.com

nftfreemarket.com

astrainconsultora.com

favoritepedia.com

mycprguru.com

estateadmin.services

Targets

- Target
  
  bluestealer.rar
- Size
  
  5.6MB
- MD5
  
  a90f4f14fd13ca22cfeb32127493bb3c
- SHA1
  
  680a9f3b7d74575cdd91f461e9e2b47c10e5c79c
- SHA256
  
  ee66a185008549b9ca0c687a78aa6a69e4770dd12cab9dc63d5346c1f570904b
- SHA512
  
  69fee2468fdb90e4dfebe18dd90f040be372a8d7c35f049d1f594c4f6ec37a7bb9fb8f2c847114e315b214e823d3921d4260b3770628903a875a8b9fbb270a66
- SSDEEP
  
  98304:xIb3rOEojkouUyLJ/IIDwOMTwKoD+ORWkt78cZfHKDDFaWI5Sz3ptM9b3Pd4g6wx:izaEJvD0WD+OP8QfqmSz3pt2zV4g6SmC
Score

10^/10

agenttesla asyncrat azorult formbook redline revengerat sectoprat snakekeylogger xloader @baobabss @chucoed @l_like_a_sir_l @tupa187 default nyancatrevenge mjyv o4ms qs23 defense_evasion discovery execution infostealer keylogger loader persistence privilege_escalation rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook family
  formbook
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- Revengerat family
  revengerat
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- Xloader family
  xloader
- AgentTesla payload
- Async RAT payload
  rat
- Formbook payload
  rat
- Xloader payload
  rat
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Modifies Windows Firewall
  defense_evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1