agenttesla | 22df8179643d2be4e46f0260396e1107c6203e66116d78662ddb4ab2244e4bcb | Triage

Sharing

General

Target

22df8179643d2be4e46f0260396e1107c6203e66116d78662ddb4ab2244e4bcb
Size

639KB
Sample

240327-cnwfsaac39
MD5

6a562f665fc6f9ae83843150f96647a1
SHA1

72cd1f0c0176c5fef9b1931f76e7ffe17e267d8f
SHA256

22df8179643d2be4e46f0260396e1107c6203e66116d78662ddb4ab2244e4bcb
SHA512

fb34508d87dad2e0a64724554da78fd0e968e6cd7bfc1f2c45346fdce83d7e94a69fb0bfaf661a41e286c3685bfa7e8de7077daf260540e8bf5b70fa7f808a59
SSDEEP

12288:QWI7W+5gqaw02TeoMobEkU15L0l0P8Youz5DHmJ1Z7DzSB9T:Z10gnwfeoMo5Ubn5V4J1ZXzSBF

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.thanhancompony.com
Port:
587
Username:
[email protected]
Password:
aSkIhV^3
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
smtp.thanhancompony.com
Port:
587
Username:
[email protected]
Password:
aSkIhV^3

Targets

- Target
  
  INVOICE_MAR-74190-2024.exe
- Size
  
  708KB
- MD5
  
  526e0265490c2074f9987249452af0a1
- SHA1
  
  4c7d438ebd1c703d315ad6d81823c9e2fc5e843a
- SHA256
  
  29f111addb7b0ee4904137337352fe86d3ed557508820cabb875a53ef24a6394
- SHA512
  
  d1fcac067acc40e687b6eff18993f71af809bffa0c558256676359152bbd17ef300b01d3bf76c8ae40c3b9f0aa5ee032cf3ead57bf40c0ce38c6c6b254c713dc
- SSDEEP
  
  12288:5CITHa5WB65wgIaWQrdeKMobaI2f1b0l0t8YyuF5bHKJ1tEM3H5iVCR:gyNB6SgpWyeKMox2N15JcJ1tEMJD
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

agentteslakeyloggerspywarestealertrojan