agenttesla

General

Target

Josefinabosco Groups Limited RFQ#20230304.docx
Size

10KB
Sample

230303-lbpl5sgc8w
MD5

6d5efe89e5096d4e503cfa45e3be6012
SHA1

582580bdcdf8e6075a9bb736a5421e4674ce3750
SHA256

5d39d0f94d3ab0ac294f5438619965dfcb56b6347faae2179c115caed2715ca8
SHA512

239770ced2b5b104b9dd6394c1528d9bb8a691e0f0518ebe68d6cdabf3fd6298f43667671794f1cd6ef355bd10758e4d5b8a861fa11894d67da96f1af9dace78
SSDEEP

192:ScIMmtP1aIG/bslPL++uOXFl+CVWBXJC0c3o+:SPXU/slT+LOXFHkZC9j

Score

10^/10

Malware Config

Extracted

Rule

Microsoft Office WebSettings Relationship

C2

http://ZZZJOOIOIOSDP99090SDXDdad9SDED99000DF00DF0SDF00DF0XCCXC0V00S0FDS0F0DF00SSZZZZZZZZ0X0C0XCZZXC0X@3324948138/12u.12u.12u.doc

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
002@frem-tr.com
Password:
jCXzqcP1 daniel 3116
Email To:
002@frem-tr.com

Targets

- Target
  
  Josefinabosco Groups Limited RFQ#20230304.docx
- Size
  
  10KB
- MD5
  
  6d5efe89e5096d4e503cfa45e3be6012
- SHA1
  
  582580bdcdf8e6075a9bb736a5421e4674ce3750
- SHA256
  
  5d39d0f94d3ab0ac294f5438619965dfcb56b6347faae2179c115caed2715ca8
- SHA512
  
  239770ced2b5b104b9dd6394c1528d9bb8a691e0f0518ebe68d6cdabf3fd6298f43667671794f1cd6ef355bd10758e4d5b8a861fa11894d67da96f1af9dace78
- SSDEEP
  
  192:ScIMmtP1aIG/bslPL++uOXFl+CVWBXJC0c3o+:SPXU/slT+LOXFHkZC9j
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2