agenttesla

General

Target

15bee5f27c8e807fca30b704600b5f4ffa67a5fa80d51bb444c42d52c9020cef.exe
Size

751KB
Sample

240229-f2mycafa45
MD5

8a7ea7ff5e5cce2ca107a23aeb40b4e3
SHA1

0fe3cc81e2d4f294d80a8428783a72eb8cd82c6e
SHA256

15bee5f27c8e807fca30b704600b5f4ffa67a5fa80d51bb444c42d52c9020cef
SHA512

37d3e30a2f82484ece8040ac334369bad247b0cbb7c0326f31b046e2f5203823e4ba7c962b1cf2431fa357f07c1e53fff5848aaa88241a8e623d89637d427ab7
SSDEEP

12288:C8S+oGOKcbWAL9bW9ezgqZDKogif+UPJsXf4vIUeVfvGMbvk1RsXS38Mc14hhjwd:RAL9iyga+ogimUmXgRnMY1RRg8hcH

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.commtechtrading.com
Port:
587
Username:
[email protected]
Password:
;elP@ho2Np 7[
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.commtechtrading.com
Port:
587
Username:
[email protected]
Password:
;elP@ho2Np 7[

Targets

- Target
  
  15bee5f27c8e807fca30b704600b5f4ffa67a5fa80d51bb444c42d52c9020cef.exe
- Size
  
  751KB
- MD5
  
  8a7ea7ff5e5cce2ca107a23aeb40b4e3
- SHA1
  
  0fe3cc81e2d4f294d80a8428783a72eb8cd82c6e
- SHA256
  
  15bee5f27c8e807fca30b704600b5f4ffa67a5fa80d51bb444c42d52c9020cef
- SHA512
  
  37d3e30a2f82484ece8040ac334369bad247b0cbb7c0326f31b046e2f5203823e4ba7c962b1cf2431fa357f07c1e53fff5848aaa88241a8e623d89637d427ab7
- SSDEEP
  
  12288:C8S+oGOKcbWAL9bW9ezgqZDKogif+UPJsXf4vIUeVfvGMbvk1RsXS38Mc14hhjwd:RAL9iyga+ogimUmXgRnMY1RRg8hcH
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2