agenttesla

General

Target

DR1.exe
Size

15KB
Sample

210120-nck2yxrq8e
MD5

67698483a208b58241acfcdbe9682f90
SHA1

2358b113a5a47d70e78b939156f2cdf7049fc39b
SHA256

8f8198fc76f32f907c255e1715f44deaabd4677f4cc708ecfd6afb1a50d9bcfc
SHA512

726181cf74d4adc26888d5454e66e76ca8887de3956d5a509fd015ae49f83683ad452d4f7a474bcdf3929e5192eb1e87e32636c515755739aef7ad136001b2ce

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
max.mccanna@metaltek.me
Password:
@Mexico1.,

Targets

- Target
  
  DR1.exe
- Size
  
  15KB
- MD5
  
  67698483a208b58241acfcdbe9682f90
- SHA1
  
  2358b113a5a47d70e78b939156f2cdf7049fc39b
- SHA256
  
  8f8198fc76f32f907c255e1715f44deaabd4677f4cc708ecfd6afb1a50d9bcfc
- SHA512
  
  726181cf74d4adc26888d5454e66e76ca8887de3956d5a509fd015ae49f83683ad452d4f7a474bcdf3929e5192eb1e87e32636c515755739aef7ad136001b2ce
Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- AgentTesla Payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2