agenttesla

General

Target

Quotation.pdf.z
Size

618KB
Sample

240329-t447asce51
MD5

e53e3a95646d8e2654bebdee6b687b9e
SHA1

fde5156a8f7ff273bd1353a1b9f4e21c2418de87
SHA256

78f522862bc39091d29d9091f6efc6fc4d7d6797c76faae6a65c26522f191991
SHA512

dda414046a7fb6e3cb3b758f113c9324c3708ec22b6db155b47ddb3ecbf46db2a316f06a2cd638481c7901742f1458aaf0e06df29f3b428e1146fe8bfcda5729
SSDEEP

12288:pipfKAhCNolQUrYkKQvTJad/Tfb5l8mUSi4va0tsaJpeTkMg8nG3rTw6e2zz:pipf9/YWTJofNl8mPi4vxtt7eTC13Jzz

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.tariqinternational.com
Port:
587
Username:
[email protected]
Password:
taha@2005
Email To:
[email protected]

Targets

- Target
  
  Quotation.pdf.exe
- Size
  
  695KB
- MD5
  
  61d343222c270b50fdf882011222e435
- SHA1
  
  b57f309cac22c8e79fb9ea43ae92028b5873a66c
- SHA256
  
  a1a5145381a87900950867d3e6632aaf89fdedb9c898bf44fd7efbea077ab224
- SHA512
  
  52cba082b0439d17e7e1d47c6ecc12f172b24e29e9125da2911e44c24c23c8051f30e7615e76700d5341359a2ec26a79ec195ee15e0620f8f9463dbacbc9990e
- SSDEEP
  
  12288:PlShCZs+/zSuMtf+I6BLLVcyMgBDYHsaWuTwAq3XA2ZWieEhcdBDX:NSUq9xfGNc5gBcBWuTwAwHWieu+
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1