agenttesla

General

Target

a30ef816bce43896b87dc946f00c0d75.bin
Size

761KB
Sample

240428-b3yn1sdf61
MD5

d97e0fd5452c030ed75cb2e9835cba2b
SHA1

e5d104d8fb3a5e75643ac31d8e01f5b312454cf5
SHA256

04850af649dac3c9ef6ea1a4a3ca6244ae110a42443bee390c5c3414bbe840f2
SHA512

9d4c86cdc761bb122ea6e3406dc015f510c34819a3319b5d58f732203997e044e507bf436528e1d8ae9b60f9f41e0d8aed07a0b01afaccd843ce1c52e30fae88
SSDEEP

12288:jwIczI6CVB4/JZEXYbebVbeOT86NM7hlvF7ASrflUR58vWnQZOZuxHQURDj7wW85:8IesXYbeRvbNM9ltlrc2+3ZOPBj7q8nC

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.starmech.net
Port:
587
Username:
electronics@starmech.net
Password:
nics123
Email To:
godwingodwin397@gmail.com

Targets

- Target
  
  Invoice.exe
- Size
  
  822KB
- MD5
  
  df0a67f2a0c162c5a5dee0a8fcd8ab22
- SHA1
  
  07981693f5b38fa99a88aca0e13ba5b6022b1465
- SHA256
  
  e62255f98543e0bb1abf017af13fd483e1382158021b7edde65fa55c1ad290cf
- SHA512
  
  b62ea9a4710dfc855cfd47f2c0cb8787c9ea6b1159387431d1cc70b5989dd59086aaadd62e42fea9b21d28834b6ece20dc1715245762d026e48e315544529f75
- SSDEEP
  
  12288:zPqnHvjNIrpf9rN/mc/CQw5PXdFPemY3kI26WE+34DO2IOxzV2SYm9nEix9H82rF:zyPjKr5BNDuXvfY0RfmIkzLNP5rJ
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2