agenttesla

General

Target

b9ed438f763584171822b73a28273427a0923cca26b8e40b008e3aefbcf48d79.exe
Size

790KB
Sample

240213-fk8tgscb5x
MD5

4139eb079206e8a99e5a801a5f2c74d0
SHA1

62baf3ff2623429dd7c3a9e2c011e8419482b833
SHA256

b9ed438f763584171822b73a28273427a0923cca26b8e40b008e3aefbcf48d79
SHA512

f395f99bcd7ed5afa486c4587d2ceeb821a68cbae00af0b4e9f7a5211cd5d53038f26008a6af88fdce1cf9137187ea210c1a85f061ddd1f532978d9576bdb674
SSDEEP

24576:SpNlCZoi0e8UZDdEVjZ7OifqWC+cn4Mfo68bsh:Sf+oirDMXHC+Q40ab

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.htgroup-libya.com.ly
Port:
587
Username:
[email protected]
Password:
Htam@2023#006
Email To:
[email protected]

Targets

- Target
  
  b9ed438f763584171822b73a28273427a0923cca26b8e40b008e3aefbcf48d79.exe
- Size
  
  790KB
- MD5
  
  4139eb079206e8a99e5a801a5f2c74d0
- SHA1
  
  62baf3ff2623429dd7c3a9e2c011e8419482b833
- SHA256
  
  b9ed438f763584171822b73a28273427a0923cca26b8e40b008e3aefbcf48d79
- SHA512
  
  f395f99bcd7ed5afa486c4587d2ceeb821a68cbae00af0b4e9f7a5211cd5d53038f26008a6af88fdce1cf9137187ea210c1a85f061ddd1f532978d9576bdb674
- SSDEEP
  
  24576:SpNlCZoi0e8UZDdEVjZ7OifqWC+cn4Mfo68bsh:Sf+oirDMXHC+Q40ab
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2