agenttesla

General

Target

e43f623e317d13daa4383aa020274df52ca9a807efe597f34ae7126ca6067029.exe
Size

608KB
Sample

240326-dhy56acd24
MD5

0aeb7bc1e4ef7693e20f2e9b3cfd65a0
SHA1

1c6f6a8e9bb62ee29c3c5b23f73d660db3954ef7
SHA256

e43f623e317d13daa4383aa020274df52ca9a807efe597f34ae7126ca6067029
SHA512

1ab64df28ffcf0d88a211723c20be896e40730013fe103732dc7911923cbfe84a28b18a252d34b95804acf9cd3b169f1199747628d0f8b8cff68b158ee9121ef
SSDEEP

12288:VI59EO75O5kk24qJB0cfscFFlsQczFo/HyfPuD:VI5B05k6qMcFszpGS3uD

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.normagroup.com.tr
Port:
21
Username:
[email protected]
Password:
Kingdom12345@

Extracted

Credentials

Protocol: ftp
Host:
ftp.normagroup.com.tr
Port:
21
Username:
[email protected]
Password:
Kingdom12345@

Targets

- Target
  
  e43f623e317d13daa4383aa020274df52ca9a807efe597f34ae7126ca6067029.exe
- Size
  
  608KB
- MD5
  
  0aeb7bc1e4ef7693e20f2e9b3cfd65a0
- SHA1
  
  1c6f6a8e9bb62ee29c3c5b23f73d660db3954ef7
- SHA256
  
  e43f623e317d13daa4383aa020274df52ca9a807efe597f34ae7126ca6067029
- SHA512
  
  1ab64df28ffcf0d88a211723c20be896e40730013fe103732dc7911923cbfe84a28b18a252d34b95804acf9cd3b169f1199747628d0f8b8cff68b158ee9121ef
- SSDEEP
  
  12288:VI59EO75O5kk24qJB0cfscFFlsQczFo/HyfPuD:VI5B05k6qMcFszpGS3uD
Score

10^/10

agenttesla evasion keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables packed with or use KoiVM
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2