agenttesla

General

Target

PO+010-240.docx
Size

10KB
Sample

230301-rvpddage58
MD5

1cb238263947b5019937888d3cad8833
SHA1

15d5367bd9cd0fb7fec8ca9ef2360b57a40c63c0
SHA256

3db84a830fee9dea668512769206f1002edf7d27747611f728c14974cd14726a
SHA512

d73cd6a02a2fb6f481a00b7e96d45b7091ac1a5a3fb57763923864fabacb2eb8c945150adf740a64d7d7eae94ac23c9b47b7471fc6e6a9a50f11aca051339748
SSDEEP

192:ScIMmtP1aIG/bslPL++uO+A5Wgywl+CVWBXJC0c3hzVG:SPXU/slT+LO+mbywHkZC9K

Score

10^/10

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://OIWEROFSDFOOWROOSDFODFOWESODFGDOFGOSDFOIOFSODOXCVVODOO00FOF00F0DF0FFSDF0SDF00SDF0DF0SDF00SDF0S0DF00DF@3324948138/rr........................................................doc

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
002@frem-tr.com
Password:
jCXzqcP1 daniel 3116
Email To:
002@frem-tr.com

Targets

- Target
  
  PO+010-240.docx
- Size
  
  10KB
- MD5
  
  1cb238263947b5019937888d3cad8833
- SHA1
  
  15d5367bd9cd0fb7fec8ca9ef2360b57a40c63c0
- SHA256
  
  3db84a830fee9dea668512769206f1002edf7d27747611f728c14974cd14726a
- SHA512
  
  d73cd6a02a2fb6f481a00b7e96d45b7091ac1a5a3fb57763923864fabacb2eb8c945150adf740a64d7d7eae94ac23c9b47b7471fc6e6a9a50f11aca051339748
- SSDEEP
  
  192:ScIMmtP1aIG/bslPL++uO+A5Wgywl+CVWBXJC0c3hzVG:SPXU/slT+LO+mbywHkZC9K
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2