agenttesla

General

Target

e5bcb7c01d5c17464ad2b6877cef3ae073fd79576b53e37fd2da2dcfbefbfd8c
Size

405KB
Sample

220521-cdk73adff9
MD5

26d96be9c70e72d5a0d0bf114ec38c89
SHA1

3d4ecb26a4ed84119cbcc7f0178bf4c891afe4a0
SHA256

e5bcb7c01d5c17464ad2b6877cef3ae073fd79576b53e37fd2da2dcfbefbfd8c
SHA512

2285c51709194f8dbf38c7921c3b771b154b30d6dc3e8b1dd11b41a822d8ca775d6a3e674da0f2b0360348f490e9e4573c96422ec429a306d9ba2f3394aef7af

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
[email protected]
Password:
08140480968Ju@

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
[email protected]
Password:
08140480968Ju@

Targets

- Target
  
  00000056431.exe
- Size
  
  462KB
- MD5
  
  84f834b868b0e17a6d1ce5b7ee4e04be
- SHA1
  
  8d4f5fe04c16574d22a6a17d3f2d751d817293dd
- SHA256
  
  6fb90df91c05a8ded30de9ef0a21bb41e2c4f1ee3c9ef814877feb500cf8cac6
- SHA512
  
  84154d9717741df46e7fb257e092e11a3250024f0b422ec3e497068c6dfd85be07ea566d04308fbd6b62c51317165185690512a938346cb43dddc39291e3e3ec
Score

10^/10

coreentity rezer0 agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

CoreEntity .NET Packer

AgentTesla Payload

ReZer0 packer

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2