agenttesla

General

Target

61cb74f9764f2a8b455d79c4d3e5dcca.bin
Size

596KB
Sample

240328-b2akssad64
MD5

1d97ab5e388b5d3dd791efec939dca7e
SHA1

a275dcd42018a7d583369676fe1bae1196d1bc4e
SHA256

c83315ee1dfa26e4965c872c2e95989edce100ae5ce9c773c1b5081bcb455427
SHA512

33ab43c6fd85cde84a736462654de9cc85ba54d5433c93a565d539c9bc78699614d2acfbb9c43ac6adfb12fbd8799adc4b2227e5d859195ba8c5b4fb0e03de4f
SSDEEP

12288:ojx76DDKjC4A6tLI5n3tZHPOB8RaXVnoAYu7EuhFKjayAeaB2Ahg8MRB:M76Duja6tLIl3tJ2mRuVnoAvEuTLhTBU

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.starlinetrading.com
Port:
587
Username:
[email protected]
Password:
Tmn@#1571963?%
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.starlinetrading.com
Port:
587
Username:
[email protected]
Password:
Tmn@#1571963?%

Targets

- Target
  
  96d8f946d4ba59979608136ba3117652705bfdca1365f5e5b8a148fa5a601e11.exe
- Size
  
  610KB
- MD5
  
  61cb74f9764f2a8b455d79c4d3e5dcca
- SHA1
  
  1708abba5ebd178c577bf8bd7cd2e88c83b1c201
- SHA256
  
  96d8f946d4ba59979608136ba3117652705bfdca1365f5e5b8a148fa5a601e11
- SHA512
  
  e8a1cf8d3ecffdbdc3c554bf0352e58a15d9a0fdf312bd3840dd472bc11fb5feba12c91833bcbee4f019bc6910e2c7119704b801af670f43b43a1132b0ade646
- SSDEEP
  
  12288:u55xmaJeoR9pXCCfiahrO3KU17zcwlVPn0U4FiW2KriiZ/8xMna5W56w:GJVHga5O3KU1rf0LizKXZ/8Ot
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2