agenttesla

General

Target

485c8a8ef8e81296c121ef23c12c80579b7d7c62426f62288fa10aee04d4e704
Size

393KB
Sample

220714-dt217aecb3
MD5

b0ca132b79d5d72014761b212a44a31c
SHA1

d1fda07396f1fb3ccd3ad04648d1eaec90d8500a
SHA256

485c8a8ef8e81296c121ef23c12c80579b7d7c62426f62288fa10aee04d4e704
SHA512

bc2caa5ed9ba552679d58eb2637919f5056569d9c04e2f2a3ab5226792d508a37c99102d6f90632c8f8a81de5440ad1e7977127a3b700655fa94e458bb32d4f8

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cpworldindia.com
Port:
587
Username:
import.cs@ahd.cpworldindia.com
Password:
imprtcs@2019

Extracted

Credentials

Protocol: smtp
Host:
mail.cpworldindia.com
Port:
587
Username:
import.cs@ahd.cpworldindia.com
Password:
imprtcs@2019

Targets

- Target
  
  PO#CWA006635.exe
- Size
  
  414KB
- MD5
  
  8cf823ee0766126638d33918383ca5d8
- SHA1
  
  3b215b084b9ff049a860fc29108f62c4b6d2133b
- SHA256
  
  6de7efc9e04cb4db0acc603a7ed700b186d0545acd0e8e84a1d8cce668202dc8
- SHA512
  
  41cd0278ebb15faddd178fb826e8dc74021980f09b94ff785b1b6d88d5504c2e7b37450484666fd7a00e3c3e865459ace696c41ad84e4d0630d1ef893e93ed94
Score

10^/10

agenttesla collection coreentity evasion keylogger rezer0 spyware stealer trojan suricata
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- suricata: ET MALWARE AgentTesla Exfil Via SMTP
  suricata: ET MALWARE AgentTesla Exfil Via SMTP
  suricata
- AgentTesla payload
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2