agenttesla

General

Target

4752d99a2280a508c977e5dfaa69522f89e9cb97e19e1b2c331fe7cf016e0307
Size

600KB
Sample

240328-yfxvjafe95
MD5

5955663becb854d9e5391ba22c9657c8
SHA1

d99da742886cdc35b6dc1d6d45ce5a243cd4bb39
SHA256

4752d99a2280a508c977e5dfaa69522f89e9cb97e19e1b2c331fe7cf016e0307
SHA512

1c25ac9d97dc29c7e2d6bdfa1a92677e7383b9f6e9f6fbf790d9d625690e520f17ed46079db7e9edc79610ca62a26a6cf7ad7aebee99692f04d3844f7dc7654b
SSDEEP

12288:GsHzOUNUSB/o5LsI1uwajJ5yvv1l2WHRi7d7j3vZSH+wws+EQQ4kT:piUmSB/o5d1ubcv/U7dcPwl9o

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://inhanoi.net.vn
Port:
21
Username:
newboxoffice@inhanoi.net.vn
Password:
^TSt3!FK$UBA

Targets

- Target
  
  4752d99a2280a508c977e5dfaa69522f89e9cb97e19e1b2c331fe7cf016e0307
- Size
  
  600KB
- MD5
  
  5955663becb854d9e5391ba22c9657c8
- SHA1
  
  d99da742886cdc35b6dc1d6d45ce5a243cd4bb39
- SHA256
  
  4752d99a2280a508c977e5dfaa69522f89e9cb97e19e1b2c331fe7cf016e0307
- SHA512
  
  1c25ac9d97dc29c7e2d6bdfa1a92677e7383b9f6e9f6fbf790d9d625690e520f17ed46079db7e9edc79610ca62a26a6cf7ad7aebee99692f04d3844f7dc7654b
- SSDEEP
  
  12288:GsHzOUNUSB/o5LsI1uwajJ5yvv1l2WHRi7d7j3vZSH+wws+EQQ4kT:piUmSB/o5d1ubcv/U7dcPwl9o
Score

10^/10

agenttesla keylogger spyware stealer trojan upx
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- UPX dump on OEP (original entry point)
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

UPX dump on OEP (original entry point)

UPX packed file

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2