agenttesla

General

Target

8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.zip
Size

283KB
Sample

240118-ghblmsdgcm
MD5

a5df9baff836278a7b6ecf187976b190
SHA1

ea8002dab926a32885cff76936baf1de60ea33b8
SHA256

f8107dcd6388dddcd4133a3bd3bbfb6a12b5ce3b17b2b0b3ec59e23c9771ba5b
SHA512

28684f07c21e47a662a4375850aa3d7ffa20c4782ec8d84c0df852bad79708aec5127c928fcdeaaded10a7c4149fa8cebbf2408d61573b5f38687b6e696a7a2d
SSDEEP

6144:2xo4R4SpAmNYDBkUlXsv6RXL0d7K4r4HCj1TJzRyLZq:Qf5pAmiDlXgk87Kcbg8

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail1.netim.hosting
Port:
587
Username:
[email protected]
Password:
Emotion22
Email To:
[email protected]

Targets

- Target
  
  8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b.xls
- Size
  
  302KB
- MD5
  
  250841072f7bb27d6a75cd026249bb87
- SHA1
  
  190342d9c712d9af9a3dce9eb3f2ff32bf100e23
- SHA256
  
  8549cb420ed5c1edf32b7e28d9d2010dac4867c0dba3650e1f8e7655278d4c5b
- SHA512
  
  27435486bd6eec7c591ec5388aec063d0ceb6f7198bda22dcb5c01dab11aaf878fa5d4b8723fefcb1983387e011100effd1e39d9e38f5b5511e2b1c997b788f0
- SSDEEP
  
  6144:6vBNSHBMixiMK6G+ZFrTUvCp4sJgo0r6Rz4rN9RjymY7TaGv37Aodpz:6vBNQpozwjTqCfgo0ugNymWbvrf3
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3