agenttesla

General

Target

ff69be471c7d69a90c50017c03e4e5204f8edf419487e9944860475dd833cc1e
Size

662KB
Sample

220520-2tw2yagad3
MD5

a8d224bf9c15da46df2d9d3dde069b0d
SHA1

8956aa3ada0ae9f4579a4e9d50a7d37bb02df1a8
SHA256

ff69be471c7d69a90c50017c03e4e5204f8edf419487e9944860475dd833cc1e
SHA512

f48a66bd77dd71aac667d4255525f79c48398aa19b7c336e8f09628e3b431b203c278ae78e4e6b8778bb937ad4d0b0e54e7aa4c696d6698540061708084117d5

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.plazaplus.com.my
Port:
587
Username:
[email protected]
Password:
adminplazaplus

Extracted

Credentials

Protocol: smtp
Host:
mail.plazaplus.com.my
Port:
587
Username:
[email protected]
Password:
adminplazaplus

Extracted

Family

formbook

Version

4.1

Campaign

lgk

Decoy

spare-parts-hotmelt.com

abacocentro.com

potetonchi.com

warnerconsultants.net

ifixwindshields.net

sadikozcankuafor.com

hotelalexanderplaza.com

zonecms.com

hiitnrun.net

catwalkers-contests.com

bestweed4u.com

medirehafit.com

olvikor.info

luwa100.com

youbox21.com

chennaihearing.com

ecchem.net

bureaucartegrise.net

sellingmilkshakes.com

parcbotannia-info.com

Targets

- Target
  
  Tender document.exe
- Size
  
  428KB
- MD5
  
  7c2a3303f5a74db2dbc52700021c7b85
- SHA1
  
  47d8cfab45c62c74f6a37a0ba1eee131139572dd
- SHA256
  
  eee59729c83333c9d3b5a7b446a076551d1d564e65d24cb73dbc14e3469338e2
- SHA512
  
  12629cde9440830221c9bdfa19efd3d1e0203e92b9aff04346798a20c9f62cd22124cc036420679e30968be54508bdb3628bc598b2f0211eb1268d9caa021ad9
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla Payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  purchase order from Innovix Distribution Limited, Hong Kong.exe
- Size
  
  319KB
- MD5
  
  a6d242a7659717390c09bf5c2ba82ab0
- SHA1
  
  3803bc93c309c97b8c7bba202b42d06e4637530d
- SHA256
  
  6740dedb2240b867fd09e2b5fe3a3c1e1a76c5067c9b7e9e77ef709a48f906ee
- SHA512
  
  46c6836b3dd24af347643fb0c082fe96ac9999fe5b56e835ba67e9181a90f98be4f3e8ef8d0378bf41792f707b59fc27a7b2502fa676c4f0c7be8b8416f39987
Score

10^/10

formbook lgk rat spyware stealer trojan persistence suricata
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral3 behavioral4