agenttesla

General

Target

16102023_2203_16102023_JABIL10934.rar
Size

607KB
Sample

231016-rcndcsaa87
MD5

086c03d37a473c990d98aec0a7c1d419
SHA1

19e143a4847c7f86538e18f3c3e4844347bf6694
SHA256

5aa44581c04f3bf936307d391ef576a56363b17b9143581f0db7a3a73d6d4cb1
SHA512

f2b564f1a3c523e69cbeebc6edc2a91d95c27e5683604c5aab80e69273379b9dd003bb3ef977045006b816d412f00e037bd852f53300b3f0ecbf551c44a665bc
SSDEEP

12288:aVNt0j9GgJB93hvfFL0D0y4sv3GWvBjRs1l15yrqlumo/8xOdGA5FM46I:abG0KBTf9G0xEv9G1Z4R/8xOBrM0

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.officeemailbackup.com
Port:
587
Username:
[email protected]
Password:
PL*W)YFtXd_p
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.officeemailbackup.com
Port:
587
Username:
[email protected]
Password:
PL*W)YFtXd_p

Targets

- Target
  
  JABIL10934.exe
- Size
  
  656KB
- MD5
  
  4aad6c5dc332341a5196eea6041d2670
- SHA1
  
  90f0686b2ff711345636a40a838e8f362182eeaf
- SHA256
  
  75f4b3f3428602942cfc972086e7d2a4ba358610430f1f7b9f3d73b5991d7337
- SHA512
  
  7c3ab91ac0ff187fced832e611608b4153a1b4ae1e0102a36bd6273dc96ebe68835483aadc29107639833f569495c7aba26d6c36e001382febda8d57aa21b5eb
- SSDEEP
  
  12288:zzfqBYsVbFTtD238zVwSOnOxafXSW9ulFx8t8o+ZtLAp+r01+:zT6Ymq8zV7O1p9ulr8OtLG+
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2