agenttesla

General

Target

93f1feffe4a797163f55f1caca45182a
Size

777KB
Sample

210727-4hsshfmvs2
MD5

93f1feffe4a797163f55f1caca45182a
SHA1

6cfbf536209e0c0256479785fec1ced9b2f77a11
SHA256

4afaa463a048f9c89866a9c7154bf4a9d20ed849cdf6a8c0cf4b0b8b105d8e3a
SHA512

3302bb5e03c8c87e3539dad5ae5b20bf240d5a379e3c62b14a6a6afd9dcbb0bc079b629349cd05d4e1c9931e70f475ee1c094f59b8a014765cef72fe7f33e7a4

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.badonfashoin.com/
Port:
21
Username:
logs@badonfashoin.com
Password:
sKsYZiIYQn6y

Targets

- Target
  
  93f1feffe4a797163f55f1caca45182a
- Size
  
  777KB
- MD5
  
  93f1feffe4a797163f55f1caca45182a
- SHA1
  
  6cfbf536209e0c0256479785fec1ced9b2f77a11
- SHA256
  
  4afaa463a048f9c89866a9c7154bf4a9d20ed849cdf6a8c0cf4b0b8b105d8e3a
- SHA512
  
  3302bb5e03c8c87e3539dad5ae5b20bf240d5a379e3c62b14a6a6afd9dcbb0bc079b629349cd05d4e1c9931e70f475ee1c094f59b8a014765cef72fe7f33e7a4
Score

10^/10

agenttesla agilenet keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

AgentTesla Payload

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2