agenttesla

General

Target

Unconfirmed 927733.crdownload
Size

577KB
Sample

240304-xv8pxabe78
MD5

c942c21bcd6dbebdbe2ea20d19b1fbc7
SHA1

79ec41591a47a34a8ab123b217533673d17ebc0d
SHA256

1507118f528232defccaa4b670e7e72fbcf1a97e272114425517b49133cf8ee7
SHA512

2e4ed826ca26d6fb1080ac5da78d1fc90a4b5039643d1475aa72f9083163f83d02f3dd836b546d9aa1740df5d62995861f0e671ea7b130daa40dcc15224ebafe
SSDEEP

12288:z+beeYnIsTZTrlbCcllLRr7VyNYQChdcKHOysMaqsI142oxyX+UrDh15:zU0IuZTrtHFKNsdP51zcxybZ15

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cybernetics.co.za
Port:
587
Username:
[email protected]
Password:
P@ssw0rd

Targets

- Target
  
  Unconfirmed 927733.crdownload
- Size
  
  577KB
- MD5
  
  c942c21bcd6dbebdbe2ea20d19b1fbc7
- SHA1
  
  79ec41591a47a34a8ab123b217533673d17ebc0d
- SHA256
  
  1507118f528232defccaa4b670e7e72fbcf1a97e272114425517b49133cf8ee7
- SHA512
  
  2e4ed826ca26d6fb1080ac5da78d1fc90a4b5039643d1475aa72f9083163f83d02f3dd836b546d9aa1740df5d62995861f0e671ea7b130daa40dcc15224ebafe
- SSDEEP
  
  12288:z+beeYnIsTZTrlbCcllLRr7VyNYQChdcKHOysMaqsI142oxyX+UrDh15:zU0IuZTrtHFKNsdP51zcxybZ15
Score

1^/10
behavioral1 behavioral2
- Target
  
  united scientific equipent.exe
- Size
  
  710KB
- MD5
  
  71536be72d8cc9dc156f1ff70b7f69a5
- SHA1
  
  ff0bb0d7e4dfa01c187c80d2e42d85feb22d98b9
- SHA256
  
  9909753bfb0ac8ab165bab3555233d03b01a9274a92e57c022f87ccbe51ca415
- SHA512
  
  9a98d57116a638e4ec0df224c243a074de233bf1859ea6a5efbf0d4d36ef470a9421d535e2d35371c1191d72f09aa0352ba9d147dae62ef6e4fc5c0650df07c9
- SSDEEP
  
  12288:v1XZi970Oz6hGy69oswvYeMW5+uCwpla6Mqbjvkgb3I9S0dbp5Ne:dXZ7DnY/WcuCd1qbjvkWI9S0Fp5Ne
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral3 behavioral4