agenttesla

General

Target

dae5d5b4b99ed5d0e40782475cfad8dc672e9006735615af667e8de62b26cb9e
Size

652KB
Sample

240327-bk36sabf8z
MD5

12736d854254377dd191741691dced18
SHA1

60a98679d8d0c6dd2e8de9fc316bd7a1df6671d5
SHA256

dae5d5b4b99ed5d0e40782475cfad8dc672e9006735615af667e8de62b26cb9e
SHA512

5323b0a044b3ec4a6d52886d359b21418038587d066170e499e9053471aa81f5d388e3eb6745e85bc7f8e10eae65c60bed49679ca63bda08a9f8c06562ef6030
SSDEEP

12288:yVju4e3xdVvv1me+/kdxNvOYsgvcxdX5R3eIsZgp007RnEUPC0kD0GA4xM:yVy4y9vsqdxNG/g039lq7xM

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.denvaco.info
Port:
587
Username:
[email protected]
Password:
vwta.M,AH}Gq
Email To:
[email protected]

Targets

- Target
  
  NewOrder4567.exe
- Size
  
  729KB
- MD5
  
  334706ee1809fb91b773e31a83421a6f
- SHA1
  
  5d9ce7cbfaf669f201cefec925abcfe74b279eed
- SHA256
  
  fd675370ab1863be41ca596f88338c578f0c1f46cef5ae8765daee64d6409b09
- SHA512
  
  77bf82f117111067d3dae4a850b2c3dfbd656e15bf6292281f7a0d14b7b70bcbec9a80407ac4f68fcef7959f46914c5c9f5193029fdea69df044fb0f1240e17f
- SSDEEP
  
  12288:WC8yBa5WRiGJOK4MofpbohrUnEc3dX5R3eI0/gp00TRZEUxC0riPCkR:5pzRWbNpbodyr79tTAx
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2