agenttesla | d4f6823c1fcacff03c976cf84da2fb482cc12ceb2fd6720517dd6c5e3226d571 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

77e2b6a251b3ed0440f515824c1d67fd.bin
Size

692KB
Sample

231103-clp6zsad8s
MD5

23b22e21b857f092d3be95a787992829
SHA1

d1ad8dd7c36c22d27070bb93e6d40e6c0f57471c
SHA256

d4f6823c1fcacff03c976cf84da2fb482cc12ceb2fd6720517dd6c5e3226d571
SHA512

fb868ab0ff5fb1ff27ba0504db9008eb795a53c0651c274c58991ffd6c7af71d514c258a19b5b98298bdec33916399f8a3a90a3d342089a90ff2986028e386df
SSDEEP

12288:9LaMgPVkua4t/+3T0r+c7/tQRpEBFE2kFFdq2BXFL+j3/G5IT0celCZ:5VgVBt/+xQtApEBS2kpzBZ+j3/EIT0x8

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.zoomfilms-cz.com
Port:
587
Username:
[email protected]
Password:
myguys@@@@@12345
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.zoomfilms-cz.com
Port:
587
Username:
[email protected]
Password:
myguys@@@@@12345

Targets

- Target
  
  e486e7139d822916d3608207854109d49cc1dda5f894d314c2ae1c6aa9ed8249.exe
- Size
  
  735KB
- MD5
  
  77e2b6a251b3ed0440f515824c1d67fd
- SHA1
  
  17c07d5b66b17ef50890b09effafa109b34a5a0a
- SHA256
  
  e486e7139d822916d3608207854109d49cc1dda5f894d314c2ae1c6aa9ed8249
- SHA512
  
  db09559a369887fbc1228faac55d81244b962be8a59aa94ac977ca824886423caba9c48250100ba1c172f779590a62075483c9cb1081bce82747e8fd3b4198ec
- SSDEEP
  
  12288:IjbyGBWKkv4KnIbow0Qa5oAMJ7Ec0rdebYvgwLHqZ0aTHWsYoa:IjOGwJwKnaSoXqr4/sGV
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

agentteslakeyloggerspywarestealertrojan