agenttesla

General

Target

632ffc57bc8ccc27bac4838575402a8794bd5a168acba012d557c10dbcadaba4.exe
Size

1.0MB
Sample

240214-f5hsssac2v
MD5

549ada660c81d270fc3974f5bbaf7087
SHA1

0868bd891c9146affabb088cf63edc09cad9e594
SHA256

632ffc57bc8ccc27bac4838575402a8794bd5a168acba012d557c10dbcadaba4
SHA512

2dfac4a05ca0874fce2c8211128430c558e48613a867a4d69215d4fd7a29eb6a0087aaf007b95e156ab59258f6985d1f4ab211cc0766afdcaff63ce9181d56eb
SSDEEP

24576:pRmJkcoQricOIQxiZY1iaupzcwfc8ivfBq:mJZoQrbTFZY1iaupzsJq

Score

10^/10

Malware Config

Targets

- Target
  
  632ffc57bc8ccc27bac4838575402a8794bd5a168acba012d557c10dbcadaba4.exe
- Size
  
  1.0MB
- MD5
  
  549ada660c81d270fc3974f5bbaf7087
- SHA1
  
  0868bd891c9146affabb088cf63edc09cad9e594
- SHA256
  
  632ffc57bc8ccc27bac4838575402a8794bd5a168acba012d557c10dbcadaba4
- SHA512
  
  2dfac4a05ca0874fce2c8211128430c558e48613a867a4d69215d4fd7a29eb6a0087aaf007b95e156ab59258f6985d1f4ab211cc0766afdcaff63ce9181d56eb
- SSDEEP
  
  24576:pRmJkcoQricOIQxiZY1iaupzcwfc8ivfBq:mJZoQrbTFZY1iaupzsJq
Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect ZGRat V1
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2