agenttesla

General

Target

e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb.zip
Size

641KB
Sample

240402-mnat7afb91
MD5

f33e60e40a723ba1c429d895755469dd
SHA1

d8518a5504d2dcc3048af930d36481da537bdc70
SHA256

6bd830dd4c73fbf000b6d07e62751a4c2313b3bba8569b8612d9e390f65161a1
SHA512

1235fca86033c50ed5520b49290d555c28619a7bf64327b795f87c27d972ad9af2093f23d620cacbbb3d66f99469aff0db1c12357b3cc2c4eede2b3b26b7989a
SSDEEP

12288:cHlbsMwUVGgxljLeEAzu3ereg1Ef8Vnh+5cRFhIY6cYphQ6GlWhqViM2E4D:ElbsMFfn2Deg1akh+K3hIYtAhYlpViMU

Score

10^/10

Malware Config

Targets

- Target
  
  e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb.exe
- Size
  
  804KB
- MD5
  
  e8b61b099af93918a7d59477334471e0
- SHA1
  
  a2ce7a730e96bf6c8f9cd512993fd67cf0c10767
- SHA256
  
  e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb
- SHA512
  
  30b93418d244b71718a7fbf6683c27ac4bc799338f67d915367cb7cb5b93dab661b5b9071f49e055e9701d721ef3e788a0632adc062ecd32d1ffe225712bd855
- SSDEEP
  
  12288:IYgBDMwdNEb40oLhLr1+vuYdCllN9cnUstwbvhz58lZNKXGLfR:IYgB7mINL/vbDci1p2d
Score

10^/10

persistence agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  kigtiqm.exe
- Size
  
  872KB
- MD5
  
  c56b5f0201a3b3de53e561fe76912bfd
- SHA1
  
  2a4062e10a5de813f5688221dbeb3f3ff33eb417
- SHA256
  
  237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
- SHA512
  
  195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
- SSDEEP
  
  12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
Score

3^/10
behavioral3 behavioral4
- Target
  
  xmnxoix.au3
- Size
  
  4KB
- MD5
  
  0d013f6baac0a09a1fb8e14217317503
- SHA1
  
  453fba3488930e98d075946a31e5455b84eed5ba
- SHA256
  
  0a78523b6163a8372ba64e5cc275d68f6582b7ca3a93e3163ad96251cc788d83
- SHA512
  
  05032c4bbdc56992768a87ebaa9a9f43cb9092df401bb61a20673c1bec3a1f3fe4ee7c55c0572ceac9d862538ac765d0e0577cb63424c5edf137f7948feb8ced
- SSDEEP
  
  96:8Qj+oh+0ddn/qEMA98SM/26Ai9qFnOnYPUub2:l+oh+0ddn/KA98//26Ao0Oyry
Score

1^/10
behavioral5 behavioral6