agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

test.exe
Size

14.3MB
Sample

250319-d3t2ya1yf1
MD5

8a44ee98217bc81f0869d793eefab1f0
SHA1

4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200
SHA256

c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed
SHA512

4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02
SSDEEP

393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://92.255.85.66/a.mp4

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://92.255.57.221/a.mp4

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/xmrig.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/nssm.exe

Extracted

Family

xworm

Version

5.0

92.255.85.2:4372

92.255.57.221:4414

116.250.190.209:4567

92.255.85.66:7000

178.173.236.10:7000

127.0.0.1:7000

Mutex

bFh8cGGVyBJ2hXxI

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://176.65.144.3
Port:
21
Username:
Believe
Password:
Believe56@@

Extracted

Family

vidar

Version

13.2

Botnet

f083f1f6fa006fbbc744aa9888fb3e8a

https://t.me/g_etcontent

https://steamcommunity.com/profiles/76561199832267488

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0

Extracted

Family

lumma

https://phygcsforum.life/api

https://0explorebieology.run/api

https://gadgethgfub.icu/api

https://84moderzysics.top/api

https://techmindzs.live/api

https://ucodxefusion.top/api

https://techspherxe.top/api

https://-earthsymphzony.today/api

https://absoulpushx.life/api

https://begindecafer.world/api

https://garagedrootz.top/api

https://9modelshiverd.icu/api

https://arisechairedd.shop/api

https://catterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

https://sterpickced.digital/api

https://.cocjkoonpillow.today/api

https://zfeatureccus.shop/api

https://mrodularmall.top/api

Extracted

Family

vipkeylogger

https://api.telegram.org/bot7692968455:AAFUd6DDUCm9bBSVBpp5I0Oudm0YDdn6C3o/sendMessage?chat_id=6163418482

Extracted

Family

quasar

Version

176.65.144.14:4567;

Botnet

tiktok

https://pastebin.com/raw/5KMaxFkV

Mutex

6b91ceb8-fdf6-44ae-8d03-cf7d52a55ba9

Attributes

encryption_key
6DB4822E80CF23FD4665B760183906FE57378512
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Chrome Updated
subdirectory
SubDir

Extracted

Family

lokibot

http://bauxx.xyz/mtk1/w2/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

asyncrat

Version

A 13

Botnet

Default

163.172.125.253:333

Mutex

AsyncMutex_555223

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

127.0.0.1:4782

Mutex

978b297b-bd79-47da-aff5-5421661f9499

Attributes

encryption_key
0DDB9B0261808BADD198F8317E24CEF19CD13885
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

quasar

Version

1.3.0.0

Botnet

sigorta

213.238.177.46:1604

Mutex

QSR_MUTEX_dxT1m3RtSBLlUoRqXL

Attributes

encryption_key
AZfjKXCnqT1oHdxEyyKo
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  test.exe
- Size
  
  14.3MB
- MD5
  
  8a44ee98217bc81f0869d793eefab1f0
- SHA1
  
  4756ed10cbf5dbad09746a8fa2c2e62c2f2b7200
- SHA256
  
  c26e2475ef60ba969bb66c9b464b498efb1da0bf7360ff7545c1db3b707bdbed
- SHA512
  
  4f18f54d791929cb24c02e8865d520e6263c096bef7ebd422578bca0600cadb6ea4b046654ef007ba056bf568ff3a19b068bf4313b4a218953a5bd2ecb0e6a02
- SSDEEP
  
  393216:vOWd863huc1dQJlAwF3MnG3InVFedWm7NS/xHWgnHz:2893hr1dQ53MG4VAHsT
Score

10^/10

agenttesla ammyyadmin asyncrat lokibot lumma meduza modiloader njrat quasar vidar vipkeylogger xworm default f083f1f6fa006fbbc744aa9888fb3e8a office04 sigorta tiktok credential_access defense_evasion discovery execution keylogger privilege_escalation pyinstaller rat spyware stealer trojan upx vmprotect
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Ammyy Admin
  Remote admin tool with various capabilities.
  rat ammyyadmin
- AmmyyAdmin payload
- Ammyyadmin family
  ammyyadmin
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Vidar Stealer
  stealer
- Detect Xworm Payload
- Lokibot
  Lokibot is a Password and CryptoCoin Wallet Stealer.
  trojan spyware stealer lokibot
- Lokibot family
  lokibot
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Meduza
  Meduza is a crypto wallet and info stealer written in C++.
  stealer meduza
- Meduza Stealer payload
- Meduza family
  meduza
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- Njrat family
  njrat
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- VIPKeylogger
  VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
  stealer keylogger vipkeylogger
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Vipkeylogger family
  vipkeylogger
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Async RAT payload
  rat
- ModiLoader Second Stage
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Uses browser remote debugging
  Can be used control the browser and steal sensitive information such as credentials and session cookies.
  credential_access stealer
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1