agenttesla

General

Target

1443ecb318ff158823692945f04e0a14_JaffaCakes118
Size

448KB
Sample

240329-a53v3sdf78
MD5

1443ecb318ff158823692945f04e0a14
SHA1

fba634c395ca7bf82496d04e5b45822611db65e5
SHA256

fa9744a9f8530dfe050f21fd9b85a9cabfcfefd30b5290355e3ea6b6c8136b6f
SHA512

ccc22d778f9369b3d38e9658216a1600602f951f7c437aaa6c1292f0bae7eb94dedbc3456cc0ce832a1f9f9ac2e11a58f8c459eb4a215d0b829ad6ae1da06aa5
SSDEEP

6144:aHERGpLRGW22gxFfF1UOVGuklso07Lnaorfxl+y3POaTtDy6JDDT5voaZ5CgZuU9:aHI2LHoF/LN5nysTTgmnaaZ5CgMiyIQ2

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bsia.co.in
Port:
587
Username:
yogesh@bsia.co.in
Password:
21mbsia@)@!Y

Targets

- Target
  
  1443ecb318ff158823692945f04e0a14_JaffaCakes118
- Size
  
  448KB
- MD5
  
  1443ecb318ff158823692945f04e0a14
- SHA1
  
  fba634c395ca7bf82496d04e5b45822611db65e5
- SHA256
  
  fa9744a9f8530dfe050f21fd9b85a9cabfcfefd30b5290355e3ea6b6c8136b6f
- SHA512
  
  ccc22d778f9369b3d38e9658216a1600602f951f7c437aaa6c1292f0bae7eb94dedbc3456cc0ce832a1f9f9ac2e11a58f8c459eb4a215d0b829ad6ae1da06aa5
- SSDEEP
  
  6144:aHERGpLRGW22gxFfF1UOVGuklso07Lnaorfxl+y3POaTtDy6JDDT5voaZ5CgZuU9:aHI2LHoF/LN5nysTTgmnaaZ5CgMiyIQ2
Score

10^/10

agenttesla collection evasion keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2