agenttesla

General

Target

cc6fffaf71e09873cabc2fc43aebf73c9fa2a3906c86c15bc0d96c5a0975ab5e
Size

642KB
Sample

230823-mc25asch4x
MD5

7f457113c6d2f93228f5dec68d6a050d
SHA1

1b1f49f4fa26862a5e05fb699afd433d24d8277e
SHA256

cc6fffaf71e09873cabc2fc43aebf73c9fa2a3906c86c15bc0d96c5a0975ab5e
SHA512

c8cb232e264f9a99901cb14b4495e4eea73e2b76a49cbee40c6ff185bfd121b48c3a609b301646b39ccaa8be665e369843c9d650b9d2ef7e700e12b48d5084ac
SSDEEP

12288:KGHJqOwAambVKebzKLajPBeAk6eTThaUk8BeRLkV6uHu1VlKwbuptSkoWl:DpqUaQzKejBeV6MThauBu2ruHlNbgtSG

Score

10^/10

Malware Config

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1139484107194249226/Vlhp6hn2jQbp2Pn9C7HitXwMubSUxt8jvVmjiMzLvA0UTXInxNbf6E9L7WA2v5GWOb49

Targets

- Target
  
  iMKDVrJe47zuAdF.exe
- Size
  
  727KB
- MD5
  
  5632023035bb33557273fffb47cf484e
- SHA1
  
  3a9019e6d4b424ea0872962e4bdfe102454efb18
- SHA256
  
  68de9e3489ae10b2585b442b3cb29c33928e0e874c96d82a9ec16db2f2ecf83a
- SHA512
  
  531b99e8ea60c7c32dface14dcd3951034779eac8f8e0e01acf7106fdba7aca6872196ee9d7ff37d7dfacc0c698249bdbc62229093cfaacdcb0f16f9b49590b9
- SSDEEP
  
  12288:8dfSRtR2lq3PagfabD3GFzj3wmGBlaU6eTT/wUu8/shLkf6uHu1VlK/0dKKgwxk+:8s2lq3ya+OzjRGBlh6MT/ww/+WruHl8N
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2