agenttesla | 12dd00964a5d52a804cd1c37caec48068de018f6d3c1432f359f841a8df89a08 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

f03d0db80476652ed382c76708ef9eee.bin
Size

621KB
Sample

240214-ebba7aga8z
MD5

092b47d3c80b031cc36acec6f6f00b16
SHA1

3a967aa392a796b07355251efb90ddb8d471d794
SHA256

12dd00964a5d52a804cd1c37caec48068de018f6d3c1432f359f841a8df89a08
SHA512

97c584325097fab7f92c03bdecc4716cefb969827f7274cf19026d4df7dd39905f83f3366d814e5e8b5ad62919f2cf1ac8d88637c728e28dbeb034f1f842b077
SSDEEP

12288:PB6hUrRkT7F3pA+QnPMTQ8R76Tr6RI+zapJcz6FnecQGke:PB8U2/F3ph+PMsG76Tr6RhzapJcweO

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.mcmkimya.com
Port:
587
Username:
[email protected]
Password:
kG9xExPyfQBnPtnzYTpg

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.mcmkimya.com
Port:
587
Username:
[email protected]
Password:
kG9xExPyfQBnPtnzYTpg
Email To:
[email protected]

Targets

- Target
  
  ba9c0fc610a435fc11f48caf932a52f15e418d45e9ec21c83e08e624b28a8b90.exe
- Size
  
  732KB
- MD5
  
  f03d0db80476652ed382c76708ef9eee
- SHA1
  
  9af52befe94c41e3ffc0e2abca5f3df51ffbeb5d
- SHA256
  
  ba9c0fc610a435fc11f48caf932a52f15e418d45e9ec21c83e08e624b28a8b90
- SHA512
  
  fd179e6b9228bcf01143148a05f9c61083d068f6f1e5c0de29eb3360cfc1d1b0964e237b09f454e63c2e08c6ec6ca6bad8a3682a079ce242ec96c49dd090a17a
- SSDEEP
  
  12288:j33ZyPIDwOw8ftv9+ZDO6DeMTLIHmz+WQ5VRQmOXgiVtp3g5Hdv2kiQPmoIbWYV:j33Z8MBiK6PIGCLVemOgQaHd2khPfIHV
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

agentteslakeyloggerspywarestealertrojan