agenttesla

General

Target

SecuriteInfo.com.Win32.PWSX-gen.21299.5155
Size

747KB
Sample

240327-kc1v5agc94
MD5

7e50b0328014e0c2f3ec7bc7ecec7d27
SHA1

ed2f7dca7d90b68b992f78ecb33ce80554610027
SHA256

c2a6bcd8a0594ef65687fad97e30f52c0a6995efd5739c1a431376de5ad2857a
SHA512

b00d7d38f0b80506a701859caea9c767fb1efe1ab595c85817019900389a5d36f225c82cf240fe5a1ba788b0a43cd4b5ee91882e6c60bc2c4d1a8f9d17ec49cd
SSDEEP

12288:ok6ayww07LVL0JCXCNsol0jRhH7MfaQx64kuaizm/AlH3kjY+n1cE3:sajTpICCFslijFS/kUjVx

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.wecaresvc.com
Port:
587
Username:
[email protected]
Password:
s2a8l4e9skao

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.wecaresvc.com
Port:
587
Username:
[email protected]
Password:
s2a8l4e9skao
Email To:
[email protected]

Targets

- Target
  
  SecuriteInfo.com.Win32.PWSX-gen.21299.5155
- Size
  
  747KB
- MD5
  
  7e50b0328014e0c2f3ec7bc7ecec7d27
- SHA1
  
  ed2f7dca7d90b68b992f78ecb33ce80554610027
- SHA256
  
  c2a6bcd8a0594ef65687fad97e30f52c0a6995efd5739c1a431376de5ad2857a
- SHA512
  
  b00d7d38f0b80506a701859caea9c767fb1efe1ab595c85817019900389a5d36f225c82cf240fe5a1ba788b0a43cd4b5ee91882e6c60bc2c4d1a8f9d17ec49cd
- SSDEEP
  
  12288:ok6ayww07LVL0JCXCNsol0jRhH7MfaQx64kuaizm/AlH3kjY+n1cE3:sajTpICCFslijFS/kUjVx
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2