agenttesla

General

Target

Payment Application.xls
Size

3.0MB
Sample

230616-nevcxaef87
MD5

47bbcc7603e9979b6dd4e9b4a50042f3
SHA1

ad926408828c4798c897a3eb2ac993be28fd28ea
SHA256

023587dfb8efcb39cb353a413c2773cfded347e5d8aec8086ececf395725237a
SHA512

208615995d1972f38718c6855084541f15ebb72d5350d827ceebf4392fe0ab0a8a3ece746508c62460b30c1b2419c32c336f0e4daff065d4aa250a502f291adb
SSDEEP

98304:Aor+AMF11Rtk25B9KheI8xC0sEFzwMpLte:/0/3Rl8+wMD

Score

10^/10

Malware Config

Targets

- Target
  
  Payment Application.xls
- Size
  
  3.0MB
- MD5
  
  47bbcc7603e9979b6dd4e9b4a50042f3
- SHA1
  
  ad926408828c4798c897a3eb2ac993be28fd28ea
- SHA256
  
  023587dfb8efcb39cb353a413c2773cfded347e5d8aec8086ececf395725237a
- SHA512
  
  208615995d1972f38718c6855084541f15ebb72d5350d827ceebf4392fe0ab0a8a3ece746508c62460b30c1b2419c32c336f0e4daff065d4aa250a502f291adb
- SSDEEP
  
  98304:Aor+AMF11Rtk25B9KheI8xC0sEFzwMpLte:/0/3Rl8+wMD
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2