agenttesla

General

Target

a6d927ba4a4b0cad4e2f459aef0c4c3d.bin
Size

627KB
Sample

230513-b1qwdsfa94
MD5

7be28fbf83dbabfdf8e3b0a17fd00d41
SHA1

128fe2e2277a06ea01cc9a97a92348e3ca4a41fb
SHA256

f0780d7b9429fa447e236f54a251c13a36ee10acc9b2c8294aa1e72690ef2dfb
SHA512

27e324e74df132fbf07ee3b26888a8bf0d38552edd825bc4b35fdf5c869ac48604c6338d6d7f4fd6e989a4528ddaf397883961b26adc817b333141eed80babe1
SSDEEP

12288:v/JrTMkeawGiSIpTTGPJt1s8rog3b1MyFGN0PphATYAvPlAusSXR:v/6YwF9pKN93b1MyFw0PpuYWPWunXR

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.thereccorp.com
Port:
587
Username:
[email protected]
Password:
O@123456
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.thereccorp.com
Port:
587
Username:
[email protected]
Password:
O@123456

Targets

- Target
  
  c6d17684d5779f287df9ff7e53f95f5dc8ef24a7725d5ba1b60ce17ff1157e61.exe
- Size
  
  718KB
- MD5
  
  a6d927ba4a4b0cad4e2f459aef0c4c3d
- SHA1
  
  74b46e9615014e0e39d809cc469c7a061093210b
- SHA256
  
  c6d17684d5779f287df9ff7e53f95f5dc8ef24a7725d5ba1b60ce17ff1157e61
- SHA512
  
  f7868715d80087cf88af1a452cf5907980d707b8f7c2c0c9d779d95ebee354ce7b7b45c058558f41c3b13f3217ec538399668840c153bcb98a37a36b737740be
- SSDEEP
  
  12288:ufeeXfZdfrXg+JwuKt/S/60YbNyq3NzXCvCdMCJmo:ufw+Jwz/S/6BbYYZ5u
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2