agenttesla

General

Target

PI.xls
Size

209KB
Sample

230629-htr87scc47
MD5

f05456c642ed8065b6d0adf7cb8f9106
SHA1

f3f1aeec84c721cb36e114a8094584307054a746
SHA256

cf19804e81842106739482f5559a78313c8fa2792c33bff9c45d1fcda39b343d
SHA512

4219e5de92615bd6d786e51c4f403e363889a35918bc2bf3fa72fc6ef892fb11ba14ff8aa2ee7f49a3f9224687af02fd6c2db31b763d30b06e4317d7c64219f7
SSDEEP

6144:G6Z+RwPONXoRjDhIcp0fDlavx+W26nAWqvBhBi0pnRrk5jMVWltEg0S:GxvZi4rkKVWlOZS

Score

10^/10

Malware Config

Targets

- Target
  
  PI.xls
- Size
  
  209KB
- MD5
  
  f05456c642ed8065b6d0adf7cb8f9106
- SHA1
  
  f3f1aeec84c721cb36e114a8094584307054a746
- SHA256
  
  cf19804e81842106739482f5559a78313c8fa2792c33bff9c45d1fcda39b343d
- SHA512
  
  4219e5de92615bd6d786e51c4f403e363889a35918bc2bf3fa72fc6ef892fb11ba14ff8aa2ee7f49a3f9224687af02fd6c2db31b763d30b06e4317d7c64219f7
- SSDEEP
  
  6144:G6Z+RwPONXoRjDhIcp0fDlavx+W26nAWqvBhBi0pnRrk5jMVWltEg0S:GxvZi4rkKVWlOZS
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2