agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

cd77b109e45ef08f0b25ae4e211b4134bd7c349cbdf2ecde6425ec267a6a3a0d
Size

5.3MB
Sample

231206-c3q5lsad49
MD5

ca4711c30efb40ef4efed068e84b608e
SHA1

8838972d8b66f51e3e39081aaff22eac79432bea
SHA256

cd77b109e45ef08f0b25ae4e211b4134bd7c349cbdf2ecde6425ec267a6a3a0d
SHA512

a9e4e63abf3d9c9512e97c9084d3dff4d664c2819e49f42bd7eaa5f84f2795e0d28822c60ebd4fd97211709239ac124bc408581a206b1cb40e382c315defde14
SSDEEP

98304:8gmy+Qm/XZd3fOUlgmI5XtG2e0jTfxy9VcaoKBFULPz4dEyRwqBVPqDUpdfvhrzR:xL+Q4p5plgmz2e0jTxwETz4dfRwQVSDY

Score

10^/10

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6695508500:AAHkexS5oB1E5lJkAEKZx2DzV7hRPW1U52k/

Extracted

Credentials

Protocol: smtp
Host:
mail.gimpex-imerys.com
Port:
587
Username:
[email protected]
Password:
h45ZVRb6(IMF

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.elec-qatar.com
Port:
587
Username:
[email protected]
Password:
MHabrar2019@#
Email To:
[email protected]

Targets

- Target
  
  18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe
- Size
  
  823KB
- MD5
  
  77e7f5ee129d7a0eb6a063c6700083f6
- SHA1
  
  3809d6d83545814b6ca32ee97de22a5d9ce43114
- SHA256
  
  18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d
- SHA512
  
  5933fba201b39e8e3768b2eae316e9ab2bce27446d96b521f044a7960f7402ee2fd44c5d1f5be5ff0e8390978e836c030b3b341039e2023aace9d7f39693611e
- SSDEEP
  
  12288:PWcXtW8G34/uK45+po2PUabkUh88z0IvoFMY1EUcCzetvc4en1ccxfD0whVS3UeJ:634/up+pJKY3o7NHiFcrn9xfnV+bJ
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  1c8b4ce8d40a1abab07532a4d3a3832fc7e7e1c00c32002d264220afa0529b78.exe
- Size
  
  173KB
- MD5
  
  2c4d4eb864e1de4eee51f0cf47e11d45
- SHA1
  
  97e4a487e54af17dbb2deceed4b758d934c12478
- SHA256
  
  1c8b4ce8d40a1abab07532a4d3a3832fc7e7e1c00c32002d264220afa0529b78
- SHA512
  
  501a19ac2c7421fbf78ad35ad4593c38fcc021a001a797d648832ccba6606b01b08aed2f2e85abb583bdd2ce2c2a2dde6d0874cb3d16ecad6473e3eef0e587d7
- SSDEEP
  
  1536:oGXt/KSsHrtMD9QD9su0PQ/nNNBpzSTgFN0/QAEl20hq0GeyX9Ef+qcNrqs8jcdm:pJKLr4Q6M/pps/QTE2K9s+xCKqVoQ
Score

1^/10
behavioral3 behavioral4
- Target
  
  456480580b48923a2771689cf8ee2240d1a98f5c1633671260bdc203ce5a8edd.exe
- Size
  
  3.3MB
- MD5
  
  15bc4d1c91da5d491756d4c4cfa96f8e
- SHA1
  
  d1a0a6f32d9a41ff76fe2a0ff3ef084334b949d6
- SHA256
  
  456480580b48923a2771689cf8ee2240d1a98f5c1633671260bdc203ce5a8edd
- SHA512
  
  f7658e5fd2228cb28ea823027139a221f4d0721a4a2f30e3454bdecdb37a903ae35cb7830ad0cf6ef36233334cc9936768ed8505bb277ff5994a9e95202ec99b
- SSDEEP
  
  98304:NAhjsRxEm2bTLMup0z1Uesj6qqDK8COMf3:NAJDHbTLbpU1ij6jCzf
Score

10^/10

njrat trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Legitimate hosting services abused for malware hosting/C2
behavioral5 behavioral6
- Target
  
  700e76e7520021aeb60b4cd42c3ab8bbd2a20fc36228ad4dfce94c927b6e7f58.exe
- Size
  
  758KB
- MD5
  
  fdee1760ee8830c6406a76561e28afee
- SHA1
  
  72e78f9aef571fe3bfaee794f503a8619f772f5f
- SHA256
  
  700e76e7520021aeb60b4cd42c3ab8bbd2a20fc36228ad4dfce94c927b6e7f58
- SHA512
  
  5a22f1df65a2121bdca35742ea8613723ab65f6a2d6faa7c5516ba977aa084aac463aab8f9f461cba508c489b933a6974224ae929a3dee4cedaa3f451bec6131
- SSDEEP
  
  12288:qfYNr4RbLxP45+po2UTi3B4NYc+vuDueVC9TWwx5Lo23bf7ssHhsJx5dPoavX+:ELk+pJUTiR4KcnaeUNh5Lo2LgEheca
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  82cb6a221ee2b2c0c0f43139765407c713ff6980d966544f71f351c66928a4da.exe
- Size
  
  830KB
- MD5
  
  985225f6ec19a166c50bd5d0e16d330f
- SHA1
  
  9022950aa9cef1cc010c636a97b229e30d0002b0
- SHA256
  
  82cb6a221ee2b2c0c0f43139765407c713ff6980d966544f71f351c66928a4da
- SHA512
  
  a4d5576cc36994ae0d6bfa0545961370f429bd8a4e875a65e77f6f4cf522dbf1fa82fb5491b593f26178a6a27c8c1b54214b06c29b43a6c2e09908ab4361d5a0
- SSDEEP
  
  24576:koPOk+pJZDI7EeT/ZhOX0IAmQeY14VDjh:nyJ6ZT/Zh3IAmQ5qD
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral10 behavioral9
- Target
  
  ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4.elf
- Size
  
  61KB
- MD5
  
  fa9bbf55033f574c2b4cbd81da5ed433
- SHA1
  
  6cb40777e153a9e4028e5c30c5af86b0f56f768e
- SHA256
  
  ba01c08c3a6ea99f565ed6c06067bf4c9d257168ffb76da644cce01d94313db4
- SHA512
  
  08c39d6214ce0ffa7a6030daa5f45a7774730c2a5599c8213bd40f38b5538a71f9e87e8345d379e642506405924fe2b194e395b354d5cba79b876478bcbb72b6
- SSDEEP
  
  1536:1aoa3nfdgN5ceyp3row6V1R75T5Ix/yEvSmY:1aoGnfW2pbyV1R7krA
Score

9^/10

discovery
- Contacts a large (76773) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Changes its process name
- Deletes itself
- Renames itself
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral11

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

njRAT/Bladabindi

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

AgentTesla

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

AgentTesla

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Contacts a large (76773) amount of remote hosts

Creates a large amount of network flows

Changes its process name

Deletes itself

Renames itself

Unexpected DNS network traffic destination

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11