agenttesla

General

Target

34d4f41be41415d251e917eec848e3a0e93a741ef5ac3d17e2781597c6d947a9
Size

69KB
Sample

240316-bqgjzagd6z
MD5

e567a41dabaf821c0bc51aff2925c190
SHA1

761fe57c2da0aa95562369e67370748239e390db
SHA256

34d4f41be41415d251e917eec848e3a0e93a741ef5ac3d17e2781597c6d947a9
SHA512

a6e43a2f22ccb5c70f5974193d0d0091f6b89a322002c37ce386ef8f2231ac0f58edd2bcb6cdde15f10387e26abcb09da2481b384ec9a408e700d2a8e611526e
SSDEEP

1536:6TtLyGyu01akkh9wTt+XqVlknkkqdiuuYzsaOYC97jSVL6V:6tHwB+XqVlknkkqdiuuYzsaOr7jaLQ

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.mez.com.tr
Port:
587
Username:
[email protected]
Password:
Ey25tK

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.mez.com.tr
Port:
587
Username:
[email protected]
Password:
Ey25tK
Email To:
[email protected]

Targets

- Target
  
  34d4f41be41415d251e917eec848e3a0e93a741ef5ac3d17e2781597c6d947a9
- Size
  
  69KB
- MD5
  
  e567a41dabaf821c0bc51aff2925c190
- SHA1
  
  761fe57c2da0aa95562369e67370748239e390db
- SHA256
  
  34d4f41be41415d251e917eec848e3a0e93a741ef5ac3d17e2781597c6d947a9
- SHA512
  
  a6e43a2f22ccb5c70f5974193d0d0091f6b89a322002c37ce386ef8f2231ac0f58edd2bcb6cdde15f10387e26abcb09da2481b384ec9a408e700d2a8e611526e
- SSDEEP
  
  1536:6TtLyGyu01akkh9wTt+XqVlknkkqdiuuYzsaOYC97jSVL6V:6tHwB+XqVlknkkqdiuuYzsaOr7jaLQ
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Blocklisted process makes network request
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2