agenttesla

General

Target

hesaphareketi000001,pdf.exe
Size

2.9MB
Sample

200710-fm2dddx1w6
MD5

62365690663bb84166207a981d124d64
SHA1

35a0d45093ab7d5e6acc22b0f1b1ee0eaf38da26
SHA256

d90041e6b2a7deca5936829d8a2f6b9c190abcab6c81c3a99b22d41ed6fffbb0
SHA512

2b35cbbe45a125f373d4f57b1184e12ab88c4cd6c76d51bdc4f928a89bdf324eb4cd036fe9df22c69858bd83d9bfd07b012630ea7ebccbb877373f3c235b1135

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\E2C1E8F1FA\Log.txt

Family

masslogger

Ransom Note

<|| v2.1.0.0 ||> User Name: Admin IP: 154.61.71.51 Location: United States Windows OS: Microsoft Windows 7 Professional 64bit Windows Serial Key: HYF8J-CVRMY-CM74G-RPHKF-PW487 CPU: Persocon Processor 2.5+ GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 7/10/2020 5:52:40 AM MassLogger Started: 7/10/2020 5:52:37 AM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe MassLogger Melt: false MassLogger Exit after delivery: false As Administrator: True Processes: <|| WD Exclusion ||> Disabled <|| Binder ||> Disabled <|| USB Spread ||> Disabled <|| Downloader ||> Disabled <|| Bot Killer ||> Disabled <|| Window Searcher ||> Disabled <|| Search And Upload ||> Disabled <|| Telegram Desktop ||> Not Installed <|| Pidgin ||> Not Installed <|| FileZilla ||> Not Installed <|| Discord Tokken ||> Not Installed <|| NordVPN ||> Not Installed <|| Outlook ||> Not Installed <|| FoxMail ||> Not Installed <|| Thunderbird ||> Not Installed <|| FireFox ||> Not Found <|| QQ Browser ||> Not Installed <|| Chromium Recovery ||> Not Installed or Not Found <|| Keylogger And Clipboard ||> Disabled

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cappac.com.tr
Port:
587
Username:
[email protected]
Password:
aTlcLVD6nhEE

Targets

- Target
  
  hesaphareketi000001,pdf.exe
- Size
  
  2.9MB
- MD5
  
  62365690663bb84166207a981d124d64
- SHA1
  
  35a0d45093ab7d5e6acc22b0f1b1ee0eaf38da26
- SHA256
  
  d90041e6b2a7deca5936829d8a2f6b9c190abcab6c81c3a99b22d41ed6fffbb0
- SHA512
  
  2b35cbbe45a125f373d4f57b1184e12ab88c4cd6c76d51bdc4f928a89bdf324eb4cd036fe9df22c69858bd83d9bfd07b012630ea7ebccbb877373f3c235b1135
Score

10^/10

agenttesla masslogger keylogger persistence ransomware spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- MassLogger Main Payload
- MassLogger log file
  Detects a log file produced by MassLogger.
- AgentTesla Payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2