agenttesla

General

Target

musikk.exe
Size

32KB
Sample

210120-2jkmcf7yt6
MD5

edeae783c7249315102d03a637fd3257
SHA1

22044ad362803278ec491b260e6d34a6342f17f4
SHA256

74957e6668e2336b8892c3943890462ee2f7e7782d25b574e8184a3862a1b396
SHA512

88f3eee886d178455e516326ffaa7ed6f32d234583be4b10738ae7c0097fe1f503e6c9c5f95107f80ec82bfb236f36372c6d5a7c837c0415240c4ffcc329f202

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
sales1@razorwirefecning.com
Password:
Blessings@12345

Targets

- Target
  
  musikk.exe
- Size
  
  32KB
- MD5
  
  edeae783c7249315102d03a637fd3257
- SHA1
  
  22044ad362803278ec491b260e6d34a6342f17f4
- SHA256
  
  74957e6668e2336b8892c3943890462ee2f7e7782d25b574e8184a3862a1b396
- SHA512
  
  88f3eee886d178455e516326ffaa7ed6f32d234583be4b10738ae7c0097fe1f503e6c9c5f95107f80ec82bfb236f36372c6d5a7c837c0415240c4ffcc329f202
Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- AgentTesla Payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2