agenttesla | 304a08abd8dba4afc07a37b7377cc7e9e1844e1d4b482c52a61a3dd5c609bef5 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

93cd95cbafbef5c843087bb24f6453f9.bin
Size

561KB
Sample

231106-cpv7eafg9x
MD5

86a93106316757f3e998987fe3aafd4d
SHA1

2355fd50738ed29d14911952b6118f5471104183
SHA256

304a08abd8dba4afc07a37b7377cc7e9e1844e1d4b482c52a61a3dd5c609bef5
SHA512

7ebdf2c433c6566a1e555aa29d9b0d1ae73b8944845087e35e335b9f241c5f6c9046853a447546314925bca30753ca4cd7cd231f5375bf180d4ff91f3036e933
SSDEEP

12288:TPaq6zU8yjmhMv0/a79ZMVTMRFFL5Op4eA6CXBwjXA36Fajn/yqRH:Taq6zULiMv0/a79ZMVTMbFL5Op4ewXBH

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Brillium360@@
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
Brillium360@@

Targets

- Target
  
  566a9b82252b4402d80e3cf288a9ff19648b2f856c385c1ec9ea13041ad5787d.exe
- Size
  
  578KB
- MD5
  
  93cd95cbafbef5c843087bb24f6453f9
- SHA1
  
  a8cd16431992c505c454a42fd7519fa8f98332a9
- SHA256
  
  566a9b82252b4402d80e3cf288a9ff19648b2f856c385c1ec9ea13041ad5787d
- SHA512
  
  b03468de05acb0b91b55967e54861374b0fd2704cd0c45a60e3dc176bec07c63cd4cf8195ec93c1e191418528aa9e19f95fd03cf952d859314936630f361f2af
- SSDEEP
  
  12288:ncwn+NZhFk7HWZV6FVGLnJjJoUHyNsrS8apVVRfebQw0ougBZb886HUv:nGtFkKZ9V5yNsDapVVRgQwrVHI87
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

agentteslakeyloggerspywarestealertrojan