agenttesla

Sharing

Copy URL Twitter E-mail

General

Target

186-205.zip
Size

9.4MB
Sample

231101-p927nsge5t
MD5

04aee30617130282dde05ef35f38f91f
SHA1

c22029d70d503cd802b3db69b5f2d15a64264ad0
SHA256

1bb76901f992100d6b323a70b3324f4850aea1d069c3d956f344de94d93ebc33
SHA512

9d485f0e6759d7335ef86eef723c0a5d250518bb7cf73905ac4a62c1b7c892d53838b7fa6e6bb09aa5d8cc40a97568b46b19b9b578b2b6a8ebd38b56eec03c15
SSDEEP

196608:FnMEzCK26UBUCBXRV4BfIzjOYtS/sWfS8vjqOreeLAFG2ciZ/gR9Fon7Va:FnMzr6UBU8QFWOY0/sWfp75rTUMiaRIM

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
contabilidad2020
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.grad-vodice.hr
Port:
587
Username:
[email protected]
Password:
pKs9zy8Nn1

Extracted

Credentials

Protocol: smtp
Host:
mail.focuzauto.com
Port:
587
Username:
[email protected]
Password:
Gdn4ford@2016

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.focuzauto.com
Port:
587
Username:
[email protected]
Password:
Gdn4ford@2016
Email To:
[email protected]

Targets

- Target
  
  bdd3f500dc784c0f597d9eca09ec4c92.exe
- Size
  
  869KB
- MD5
  
  bdd3f500dc784c0f597d9eca09ec4c92
- SHA1
  
  a951390d50a09bd2c24f1633fd6a6b0af82a1d11
- SHA256
  
  920d519caed6fad76c8205ab38d984baccfd97405b1ca5ada793cc50140183ca
- SHA512
  
  4e6251b9207d808d4336b7e3ddd1c60c2483edff536ee2b6339d39fdc8b2a52bbaec54164490f57bd7e2ea5c9ad4d8baaa4ccaf67d706e11a945e411ac260530
- SSDEEP
  
  24576:O9YkZl9bXjZk1S5LA9rQhqduoBsXFsrpJGzUO3c:OvXjZks5LAGAyGrpG3c
Score

10^/10

agenttesla zgrat collection keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  bebbd564c95f93338278e7e1d17a6888.exe
- Size
  
  921KB
- MD5
  
  bebbd564c95f93338278e7e1d17a6888
- SHA1
  
  cbbef89d55d422f3099d10dc8b2e4621f1287fa5
- SHA256
  
  2e8aeb8aa7f3bbfb5452dff246d8779d7258dee3356d100bac3c71723549bcd8
- SHA512
  
  577ac62a9706014bac39e90f1c67b3c66f5d1e31502b20bd3f9527cd969b4c528d1a2c7a6f208bf0a83f302af1ab6b0c0191c9f27b8417b267a5001a1e4179c9
- SSDEEP
  
  24576:wyByjP6+osyRAXfC2aTR667fO07oGxO0O:EkuqzTEQJx
Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  bee4228379337219946d60655bfa9341.exe
- Size
  
  737KB
- MD5
  
  bee4228379337219946d60655bfa9341
- SHA1
  
  9cc3d9f6b31732f5a64a2f377ac804a0fa1ae8d5
- SHA256
  
  58e573b3f5001e4f262f0f56cc08391390a10e9fedd7e46b054c3a6197991b32
- SHA512
  
  84e1c0f9a05e2b6aa89f3f41264aede14dff576aac02538607a2b5c567154015e1a54e7236c5a682523339e42ec96eb47169749e5b038b431807ffa1fd23904c
- SSDEEP
  
  12288:Er2iNyOe42KMu/N3mWhQmwmJCMpUGv7ohmT/w7AWwSznMwFXhxJiIfc0Hvtg6zci:m1wOV/NOafv7o/gSHhxhfZJzcY
Score

10^/10

agenttesla zgrat collection keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  bee428f2c0b4c99e53ebac93a7662f6d.exe
- Size
  
  753KB
- MD5
  
  bee428f2c0b4c99e53ebac93a7662f6d
- SHA1
  
  45e6a1e053bafbba2e1a1cd2312e7cd4a3eb16e2
- SHA256
  
  b0d9e970a53d36e3238693badcb386b0a7b3abf5331cb9b641f5c606899ce8a4
- SHA512
  
  165b2be51b310b1018f39ca6e5f683d2734d53ec3580a7a27d3cd3c376593a637124c2caf9c55c4427c43510246020cdd830d35ebf396c190b145d040f00629a
- SSDEEP
  
  12288:nboy0PFK+iGds+A4rUVo6FfjEOn3R85KDfIatmRPm76yREXqXdVBd:ns3FKXBV4rULFozKDfIaMMx4qXdVB
Score

10^/10

agenttesla zgrat collection keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  bfe2de8eba236fb0eb346c2f86c3bf26.exe
- Size
  
  1.0MB
- MD5
  
  bfe2de8eba236fb0eb346c2f86c3bf26
- SHA1
  
  b33ac69d327091b970ba05b3b24451d32607ac24
- SHA256
  
  05b9b2ba7cef56b08f7d979f09119528e4de33b6165599c5f550b8c3c7a3f9d2
- SHA512
  
  0451d319907959374e214990f94f184c11cac6a1ac25357d07e1f94cffb88d8d667ddddca42eac9d9f21abbd4c2fbd1939ac8bc69bd567dcb7ef301c411ef5d5
- SSDEEP
  
  12288:qqr+rZVvLJPXmkZ3qlFFr0lJYJwOXGkhzPeXpRP+sv:qrrtX58FF5wOXGkFCpb
Score

10^/10

agenttesla zgrat collection keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  c0051bd7623a9481f06602a24816cc0a.exe
- Size
  
  784KB
- MD5
  
  c0051bd7623a9481f06602a24816cc0a
- SHA1
  
  709accc828d0b6db761f3f8c1bc4aeee1b824543
- SHA256
  
  88762c51cbc4467dc5e5ba304d24eef77ecb63011af117529dde2a807ca0d2d1
- SHA512
  
  7224046b31cda451f85247d6cd132900bc8aac19ea62a34df7c8efbcba750df526bea795e958f9784d53f19697970282454c7871dfd95869ff1d7eceb8f5a5e8
- SSDEEP
  
  24576:ZR4qXdVc64NIs20uWc07yHdZGHAT8wNfKyC3Y:X4qXYTNIbkr7+biZ3
Score

10^/10

agenttesla zgrat collection keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  c10ce97e6544cd7e04b4aa1a9c4df1eb.exe
- Size
  
  326KB
- MD5
  
  c10ce97e6544cd7e04b4aa1a9c4df1eb
- SHA1
  
  8549cd3ebaa0cbeed269cac3da0b41a43341951f
- SHA256
  
  4a274f08e6f2d51a2c34b022c9eb66bb8de77fa9fe05d2aef25e9c0dec6d6c01
- SHA512
  
  b0102e230b5d1ea1ff2f473ebd357779cdbf6b9d8fbc02289524b4ce7962842fd62ab53a881d2d948feb68d488136bdc38ed67f7ba7ccea06ed6b47c115370dc
- SSDEEP
  
  6144:fQ606x5wOyFNKvLOsI5H8Tx836e1NputSMFNZc9t6nzNH45X:/wDSvysI58x83R1NpsVFfZn945X
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral13 behavioral14
- Target
  
  c3577d14cda7504d8ceaa9ae26fbb70d.exe
- Size
  
  699KB
- MD5
  
  c3577d14cda7504d8ceaa9ae26fbb70d
- SHA1
  
  0c79db2c4ca4f153d231a6378159675f9a111e0f
- SHA256
  
  1b3662e68c3970c3ad2c9cff4b034a88823e67c7da54842519ac8dfefd87a883
- SHA512
  
  7d0a253a8676dd04202c9e643e0c4debf48c68f6b26163b38bb6726e1855bb41af93b1dbb139eddda689413ff56bb2c4218238492a954fc03cf5e0fef071f868
- SSDEEP
  
  12288:shqGsDJiANmZk7wqHbjuEIxhF/vM16DXY9soO:s4N1imP/ahvQi
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral15 behavioral16
- Target
  
  c6b464c901f8ef206f7c7def30ea6df8.exe
- Size
  
  720KB
- MD5
  
  c6b464c901f8ef206f7c7def30ea6df8
- SHA1
  
  0a4cdb1f4049927aea95a04e65f64d8e0cf5daf6
- SHA256
  
  47560478ac10be3464c9193150527e27af88e214e2c8acace019e7fe32df5197
- SHA512
  
  52b58d40a52222314fc0f62a30db43d5e726e15004c8637946a1bebe47ddb3c6ad27ed1edfc4d89302aa331d3c472ed4e53dac8d48883f9a3fc54388a560ef59
- SSDEEP
  
  12288:WPRP2B0xTGlxNqvNu2hZ+nUEsn9h6kl3RaiM49Y1LMf6N85zkmBhHe4lvR1v76D9:WZPLaVUH999h3rM49Y1L/mem/HbhH2D9
Score

10^/10

agenttesla zgrat collection keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral17 behavioral18
- Target
  
  c720da2df2b14990798df3c4512805cd.exe
- Size
  
  478KB
- MD5
  
  c720da2df2b14990798df3c4512805cd
- SHA1
  
  fc62f7545012d2d2e0420d56bfe5debba795a532
- SHA256
  
  72e65e6a505b198e6d6111c460f1e2859cc8ffea374129d05287da8d85e675fe
- SHA512
  
  a57064f9eeac2170f1ee0e1f0cb0c32848329efc83ea6f8620cc5bc7f22f83365530067992934a70b8deb88b1ef7bb36d6abf74b13596958f6dc8495630436c3
- SSDEEP
  
  6144:iVGdx6xeUgDBLCPG52keH83kifSZmNeNzi1+932TDKAD+yrGgs+/kmIce36osm:WML+GZeH83kifKGWzYCyNs+Mg2
Score

7^/10
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral19 behavioral20
- Target
  
  c7bdc5c45c5266f0bab5d09c45071b68.exe
- Size
  
  851KB
- MD5
  
  c7bdc5c45c5266f0bab5d09c45071b68
- SHA1
  
  3fd68141c880b7f1250afe872ad5d018d49ef75f
- SHA256
  
  2951ba641cb9cf539b45973fb7d178aaa0b511812b4e84f42dd998cbd8363e2c
- SHA512
  
  c301699a6cb7f1c365bf70e39aaaa90def285a043bb28e2597a4b7ef50ccf7d54ff9356a8ee293cef96f26dc5579ab1a7b2932d6ebb51969b0f90371241bd8c7
- SSDEEP
  
  12288:0+09gvdGmGHWcZyPWg7ob7Y0/93Q3mBnJPyc:mA32yc
Score

1^/10
behavioral21 behavioral22
- Target
  
  c8276b980d364eb06310790c45756831.exe
- Size
  
  827KB
- MD5
  
  c8276b980d364eb06310790c45756831
- SHA1
  
  351906d842e5f110b97fab216095b5474962e306
- SHA256
  
  cec5cc9dfa8e64cd0bacc6aa6f7767729dec65d6a8d53184b887dc89a6a76884
- SHA512
  
  2f1654f1d51083b9d212d86e13ff58b1414c513b78162a8fa392196d8ee065273872cdd72f6039b0fe0d5cac0c8ec3bacc4f5598e479a3f4475cbcd44fa33d85
- SSDEEP
  
  12288:LHrkBF0haDnLMzIL2q+RTdOL8OOQ7BJaBdRRzxIPUmEsVXD7QU4xTknvPKmkBX/S:LABFKOyqGUL8mPcNxIPUC7uxTk336Xa
Score

10^/10

agenttesla zgrat collection keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral23 behavioral24
- Target
  
  c99a0bb64cc818859f4902fd4ae7e2c3.exe
- Size
  
  922KB
- MD5
  
  c99a0bb64cc818859f4902fd4ae7e2c3
- SHA1
  
  eddd538e95e2cc45fad2aa182cc946fc39aa216a
- SHA256
  
  6fdbf010d593e3a490049da3e72a79e11e82e0f1a98bfc5b3ffd939f88482a87
- SHA512
  
  c868d7337fd4d084f55bfa0c417f22ee07ca8896fa7b778232bb31b2a5aeb61e2e30e0d784993c5e12aa2f01aee943689155de1046b925255266a71a8a84fb2f
- SSDEEP
  
  24576:F2oYiJNmEKUgBw7Flo7CgzXYCx1ojzYvq2Fv:F2oYiTmEKU0sgNXxvS2
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral25 behavioral26
- Target
  
  cb4177d5af25492f761ba914ab1a2d5b.exe
- Size
  
  484KB
- MD5
  
  cb4177d5af25492f761ba914ab1a2d5b
- SHA1
  
  533d6af9aefacb4dc542d11f580e74e0094d78cc
- SHA256
  
  aa081fdd4b1447f50679f0fa3c2822d35488d566aa4f4b546cb34398a29a9c28
- SHA512
  
  eec1b4b638afbe1810a2ef11a25c77b0aabfa2bef29d842a56271d96ca487877dbdef401d2e2e83d255299bbfe0def548634a985814bb8d3e5b3e689c3c1320d
- SSDEEP
  
  12288:UDfhQdWP5zZDSakeGD3PPWIAuIejQFXTJxWn:Nd0lEakeGD1hktTJxg
Score

10^/10

evasion trojan agenttesla keylogger spyware stealer
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- AgentTesla payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral27 behavioral28
- Target
  
  cdd187b140f787efa951fab18d274cfc.exe
- Size
  
  306KB
- MD5
  
  cdd187b140f787efa951fab18d274cfc
- SHA1
  
  04dd7b20c6ed955f23a745b18a6cf3ffdd1a6f94
- SHA256
  
  b3a1509f77da1f09f79e2d0d6b6c6938db01f8ec67fa6adcf992eeb5b6b8698a
- SHA512
  
  1248e398a051f9a5f4ded802a34e84a3fb57c17a83ff8973498dfc28b6497834b426ef80d4ac5873bb3ae063ca176c594de3276568745678269ac049fd8a5cea
- SSDEEP
  
  6144:ux4vyP05yb7EuugWVZ+oYZ4X8Ivo2K+9OzYoAG94FGiVU1xiZc0I/sO:Y4dcTbsYoYZ4X8IvoL+9OzYoAG94gW2f
Score

7^/10
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral29 behavioral30
- Target
  
  cdf8661bfba3b34c9c876c216db9bac1.exe
- Size
  
  767KB
- MD5
  
  cdf8661bfba3b34c9c876c216db9bac1
- SHA1
  
  30dc311efcb113155f32b818b171e7e3ffa03b88
- SHA256
  
  7bb1a4ceb5f46fa0a8313404d39bfe9838bd8ec84ee1d2f8ab9ddb41de92e8c4
- SHA512
  
  d8acd7b9080991994883dfe414fc5af888c06cc86aee1a74802adb17a854d9e53ddfc1ddf625b94eccd936ca0c99b7574bca532a9152cc2ac9dfafd65b359afb
- SSDEEP
  
  12288:WYIZYFeueRy5KPtlaA3OK4nwFpJaKdpkyoQGqUerMvcL7eiKEXqXdVFSZ2:BIZYFjkyYPtsAN4nwjJ/kvQRbK4qXdVF
Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral31 behavioral32