agenttesla

General

Target

b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe
Size

660KB
Sample

240328-c2bnjaah88
MD5

818c1d4d7b71a802240c5b04010c0929
SHA1

21ab4b40707da5ccdadf53c37458cc5b5ea674a7
SHA256

b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a
SHA512

fb4e9f6eb2b8b4e1f5e9e3b332a3bc40297f69924c60c052632e68ba44e666c2ceea9b5dc2b6aeb0125ebb03b722e5b1668c8ad90618e0a2e96e2c892584892a
SSDEEP

12288:aH2iNlw09szFS6U2/fdkuj+JvDUPXn1+hVh7ziEy27/MxC1GKuMDwK5J8XVhB+g:01XKC2XdLj+JLSX1kEE/M4wK/wK5qVH9

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.oceanskylogistics.in
Port:
587
Username:
export@oceanskylogistics.in
Password:
Oce@n@1234
Email To:
jose.oliveirea655@gmail.com

Targets

- Target
  
  b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe
- Size
  
  660KB
- MD5
  
  818c1d4d7b71a802240c5b04010c0929
- SHA1
  
  21ab4b40707da5ccdadf53c37458cc5b5ea674a7
- SHA256
  
  b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a
- SHA512
  
  fb4e9f6eb2b8b4e1f5e9e3b332a3bc40297f69924c60c052632e68ba44e666c2ceea9b5dc2b6aeb0125ebb03b722e5b1668c8ad90618e0a2e96e2c892584892a
- SSDEEP
  
  12288:aH2iNlw09szFS6U2/fdkuj+JvDUPXn1+hVh7ziEy27/MxC1GKuMDwK5J8XVhB+g:01XKC2XdLj+JLSX1kEE/M4wK/wK5qVH9
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables packed with SmartAssembly
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2