agenttesla

General

Target

922ed44d8e5c7526f172f18f7f2bcb352ae3c89295aa0b18448e6e18892ec4ef.exe
Size

728KB
Sample

240328-cx45aadb5y
MD5

339649aa12a77cfcc09c7b07fc9d7f52
SHA1

038ef4d52e2553340063d713660a1c4aa1fb7619
SHA256

922ed44d8e5c7526f172f18f7f2bcb352ae3c89295aa0b18448e6e18892ec4ef
SHA512

c329d09e06adf39e27ea380ada1913ecf3ef4211c3edcd1f3c1515f55fc0e9360e256efe7f1adc57852e56905e0376b61c87151e543bf8461e2e12c5d52196c2
SSDEEP

12288:3JglQx+3ZRl5RY4btD+K5t7UQC4u88ildNMPbUrpOwD4muneIjRxmL87vWX1pfSf:ZpxQRhtV88dgbUdOwTunGL8j15ya0M

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.itresinc.com
Port:
587
Username:
investorwithkarlee@itresinc.com
Password:
MT]ANFjWzKTA
Email To:
obtxxxtf@gmail.com

Extracted

Credentials

Protocol: smtp
Host:
mail.itresinc.com
Port:
587
Username:
investorwithkarlee@itresinc.com
Password:
MT]ANFjWzKTA

Targets

- Target
  
  922ed44d8e5c7526f172f18f7f2bcb352ae3c89295aa0b18448e6e18892ec4ef.exe
- Size
  
  728KB
- MD5
  
  339649aa12a77cfcc09c7b07fc9d7f52
- SHA1
  
  038ef4d52e2553340063d713660a1c4aa1fb7619
- SHA256
  
  922ed44d8e5c7526f172f18f7f2bcb352ae3c89295aa0b18448e6e18892ec4ef
- SHA512
  
  c329d09e06adf39e27ea380ada1913ecf3ef4211c3edcd1f3c1515f55fc0e9360e256efe7f1adc57852e56905e0376b61c87151e543bf8461e2e12c5d52196c2
- SSDEEP
  
  12288:3JglQx+3ZRl5RY4btD+K5t7UQC4u88ildNMPbUrpOwD4muneIjRxmL87vWX1pfSf:ZpxQRhtV88dgbUdOwTunGL8j15ya0M
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables packed with SmartAssembly
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2