agenttesla

General

Target

cfaa07a65524716f01de1841b46c84afa1be4b2679251cfd153cc652a4d2e0ff
Size

390KB
Sample

220521-cjnkdaeaa8
MD5

36cdd81355642b1aa284f31bee867886
SHA1

6b5a7b8b4ba8ca82d175c6df8c0d6617ff4a3fcf
SHA256

cfaa07a65524716f01de1841b46c84afa1be4b2679251cfd153cc652a4d2e0ff
SHA512

bbfeb085969a28d860f1d5ea40f2dcde0e6e90c1f80592022fc283f1c5ea78ab0628fba6c8ad67f9f0e7cad865660fe14bf8351f0cef9c5f45a1b1b151126a9a

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.elhelado.com.mx
Port:
587
Username:
[email protected]
Password:
4042Ad@+

Extracted

Credentials

Protocol: smtp
Host:
mail.elhelado.com.mx
Port:
587
Username:
[email protected]
Password:
4042Ad@+

Targets

- Target
  
  000028990022201_S.05.12.2020.exe
- Size
  
  447KB
- MD5
  
  911395d838df7e2a013290724591638e
- SHA1
  
  6921fb84679f374c6d0c1e0eda678922bfe736eb
- SHA256
  
  17c3a3aabe85b35b68b3376bf9470d45770dab07460b139ba25c1c31c76297fb
- SHA512
  
  4ba1f3b881c6bd66f497bc9c95306e1507c4dacef4b01b0798b8d950486d0d9ee33368e7b6ea9a0bae945bee8bc84c9a5e0f408bbb065163ed71c32a712e9383
Score

10^/10

agenttesla collection coreentity keylogger rezer0 spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- AgentTesla Payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2