agenttesla

General

Target

pozipexe.zip
Size

1.7MB
Sample

230511-shwscsga5s
MD5

8cb782973b4bc95c6e772cb198ea4fd6
SHA1

25ab384906f0daf81e6140fac672fc04b6c42a4c
SHA256

eb525f35f463a2f2b6a371be35fd9b728f931f3340ac45c9596d002e0f952f0b
SHA512

22586f6173fe729dcaa3efb38390398bd6363a33253a79482fbe2dbc6cc0a9fd8b5bdd1081d02ae58a5e473d5bdcb8569d1a2aaaa92483f56595eace9d034680
SSDEEP

49152:O01eeT0nHCj9DwJrjRjNVgXlv21rKfbI4bH1bd:cnHCj9DwJrjdNuXR21rEbFZx

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.lucd.ru
Port:
21
Username:
info@lucd.ru
Password:
obum@911

Extracted

Credentials

Protocol: ftp
Host:
ftp.lucd.ru
Port:
21
Username:
info@lucd.ru
Password:
obum@911

Extracted

Credentials

Protocol: ftp
Host:
ftp.lucd.ru
Port:
21
Username:
hwk@lucd.ru
Password:
obum@911

Targets

- Target
  
  LPO Purchase Lists XLs.exe
- Size
  
  1.3MB
- MD5
  
  566664857039f73dc99d94bfef7b8d0c
- SHA1
  
  a2f218ca707e05f7f41e8f99befd9e7318786eea
- SHA256
  
  70d7ae6af8ef6d23fe1adad5a31e97c8f03607bfbc00afb7534f55a988a0e0f9
- SHA512
  
  6aaea2a2e4609252e8adbdd499ae10e95e3bf54d234fe2ba551769a2185b3ee22547679fd14039dd96f1630494ac59b8e3bc0c6cdc19625075e56e3c9fa949c5
- SSDEEP
  
  24576:BH7dmPvI4mL2G4qhe0QT3yd2OluON4fA9uC:SfmzDfq3yd2OluON4fA9u
Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  PO Order Samples XLs.exe
- Size
  
  1.6MB
- MD5
  
  0e3b3c9892de34fed68f762b64d35234
- SHA1
  
  6346e2413f94f0694727bfb0091af6c4ca95cb01
- SHA256
  
  90ce14826f31be76d23efe014a0655ac9b7074193a182483fbca949eb84ea1d2
- SHA512
  
  90fd347cc905542900572aa66537ec0cf3179ec4c5575cc901caba1f4f886d79d4360866d5c917a62140ce5d6e39e7bf72bf764da5618532725f2b9b870dd819
- SSDEEP
  
  49152:hgLbWFV4frG/x78HmO3yd2OluON4fA9u:6LbWHd78Hm
Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4