agenttesla

General

Target

db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d
Size

1.0MB
Sample

240307-ak16rada31
MD5

a137ddf047bb1db826af4ccb3110db6d
SHA1

dd93f6c84d0b01d78d7eae68811e8f5edd512019
SHA256

db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d
SHA512

bc6a5259b8dbf751ad5024b35c556afff2db8b85f9f784f07b72dfc6099d5a6b9a28dd6802fb780c9764e68fc85c62abda45449a92f12a917ffb17a40223b475
SSDEEP

24576:dtb20pkaCqT5TBWgNQ7anf9xR7LkwR6A:OVg5tQ7anfBLj5

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.antoniomayol.com:21
Port:
21
Username:
[email protected]
Password:
cMhKDQUk1{;%

Targets

- Target
  
  db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d
- Size
  
  1.0MB
- MD5
  
  a137ddf047bb1db826af4ccb3110db6d
- SHA1
  
  dd93f6c84d0b01d78d7eae68811e8f5edd512019
- SHA256
  
  db2a735938b292d1ae64c39874f13f94f4abf607a8b536ca92003d42d3e1d03d
- SHA512
  
  bc6a5259b8dbf751ad5024b35c556afff2db8b85f9f784f07b72dfc6099d5a6b9a28dd6802fb780c9764e68fc85c62abda45449a92f12a917ffb17a40223b475
- SSDEEP
  
  24576:dtb20pkaCqT5TBWgNQ7anf9xR7LkwR6A:OVg5tQ7anfBLj5
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Drops startup file
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2