agenttesla | 08fe61636ab92dd74674ed3834efa96abcb88b421ea52c89f84b3988e62cfc84 | Triage

Sharing

General

Target

PO #SBPO2312-007.ace
Size

569KB
Sample

231114-aj61lsfe9v
MD5

83ead7fdcf134d2e6e6ba4a356e27813
SHA1

60590d4c6616dc65bb2a6d6af1b97fca87c43b29
SHA256

08fe61636ab92dd74674ed3834efa96abcb88b421ea52c89f84b3988e62cfc84
SHA512

cff36236737a103a5bcdef3ac6b975bc42e3294d71d435d8af8ebedb352053d4c2da8e3c43272256b97c38d8792213557d62bc6f009bf93f4b977b38d827b6df
SSDEEP

12288:WEeSEYqyMFLHfDRMGVLpgfKIS4AQnN9NBvzWzM8NazYdKjGQm3LyGrc:WEaYqdLHtMGVLSKIS4AkNfAY81Ku3L5g

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.bresciagrameen.lk
Port:
587
Username:
[email protected]
Password:
#S413vT0u45#

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bresciagrameen.lk
Port:
587
Username:
[email protected]
Password:
#S413vT0u45#
Email To:
[email protected]

Targets

- Target
  
  PO #SBPO2312-007.exe
- Size
  
  602KB
- MD5
  
  0c0159b88a994ace64b071d86fb20291
- SHA1
  
  8a8c2b33882e32523b7c04a8a0a6719f3ffe1c65
- SHA256
  
  09288397094d8d4849f09b8ef819c1140fb87bdeafd49292f545078973b1ae1e
- SHA512
  
  0b31d8fe69c0815fae144d2d5066b9e1a56d7d54bb29f0cea44dc432d1589800a4e677340a0cfb2eed3a5a2500801ecc10cbd0a7818a2e3c34f31702646ad276
- SSDEEP
  
  12288:a0VcgYZMqNw77M9K2gofroYLlm/XijDFhTWezdCZGaPfvV5cotJR:aIqy+lm/+Fdz1wbJ
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

agentteslakeyloggerspywarestealertrojan