agenttesla | b5fd9e32e7b35870a09bf2a8164909ea1288cd4697db68246cd1a9b73061ae66 | Triage

Sharing

General

Target

b5fd9e32e7b35870a09bf2a8164909ea1288cd4697db68246cd1a9b73061ae66
Size

730KB
Sample

231106-msm1baaf2x
MD5

25fef489ce014a70bd5e73e94338dbb6
SHA1

90dd6309a836e64172e0e1e9d4fde4301a1eef51
SHA256

b5fd9e32e7b35870a09bf2a8164909ea1288cd4697db68246cd1a9b73061ae66
SHA512

331c7f7a5ea591a9348cc98843b2d2308ae5586e212f06a71de25d79f30e4a2a538a7300b1da75c4860bd4cc8fcba67ee64ec965bbdb02794483375f55840282
SSDEEP

12288:VGZka8GeT7rmHi0/NVJ6hcy8kPaH9i+o7tP4hle2lp/gJftqj80Jq4B0SanbID:VGFhWdaNVJB/qmi+o714LTYJF6HJnHaE

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.apcoflex.com
Port:
587
Username:
[email protected]
Password:
Dorrah@2889

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.apcoflex.com
Port:
587
Username:
[email protected]
Password:
Dorrah@2889
Email To:
[email protected]

Targets

- Target
  
  sUTJVHThqUw8FNT.exe
- Size
  
  797KB
- MD5
  
  5a21695a4cf1f0c6dafc040fa2934c4b
- SHA1
  
  cddb0a9db8493e2740717d4f59fb4f6521c2c1de
- SHA256
  
  178ba4d2df748d17f3000be116289cfe301e6140dfef6fa3c917771fccea79ff
- SHA512
  
  fa2187a0cbe3e7b66188adc70272d13ac888e09bc3be99839292a8a6f7cf460ce2aa046dafcfa87b7fcc0eecc9e79c13becca032f85dafa813d3d2a672a9be31
- SSDEEP
  
  12288:gZoaBMXHdjrM9ahKIhcyiuPaN9A+QvtPI3OZbPdZ4OEpjL:FXHdjIOK7ngiA+Qv1YOZXd
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

agentteslakeyloggerspywarestealertrojan