agenttesla

General

Target

b2083ce7d4550ceaccac4b45679bfa5a9c8168adee4d7c79b7a6b566e597ddf9
Size

391KB
Sample

220521-bp2thsccb6
MD5

dc421ca0185a51734748e38112923441
SHA1

8a9436ae875d14d7d5dd53390e9132e92e0104ec
SHA256

b2083ce7d4550ceaccac4b45679bfa5a9c8168adee4d7c79b7a6b566e597ddf9
SHA512

bf02bfe6aa43e208e8fd2fddd2af82191d223af532a7bd383bc9ff616442703eaa64dab9b405f27e3f91ff2ca302431b6a0e946c967201fcc7c8accc082a5e4d

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.tolipgoldenplaza.com
Port:
587
Username:
[email protected]
Password:
Golden@#$2019

Extracted

Credentials

Protocol: smtp
Host:
mail.tolipgoldenplaza.com
Port:
587
Username:
[email protected]
Password:
Golden@#$2019

Targets

- Target
  
  SOA APRIL.exe
- Size
  
  443KB
- MD5
  
  b4918de9ccfdf564a629cea7e3b82195
- SHA1
  
  aab1d0e71ce72baffc39ce5f9fd3fc5aad0ec8d9
- SHA256
  
  c57c75b73874a793db4640a20bf8f89c57d8b95c9165a721e3a71f5693127c49
- SHA512
  
  f50ebdab2e8c5c2598ef52eae7a2c0d9f53900f0c26cf17cfd441051390d083a0881d1eb80eb713ef8d2e96633478d654219c07fd5178881919bf78801ed3d41
Score

10^/10

agenttesla collection coreentity evasion keylogger rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2