agenttesla

General

Target

8b739e545fc95b979031b1d173680e40804cdfae954553daad04f865571072a5.zip
Size

641KB
Sample

240402-qdyp2sag4z
MD5

5cc96ac6ea3956876de0fdd207e908be
SHA1

c8120b551b7090c0c7cac1b39333d446a6c5f4af
SHA256

8d0fead44f550553c1038fccbee07c91c6cc9eafa5f282819260823e58a69a16
SHA512

ec039ba7f4f639b7939c47083d6378cd529ad6edc4b3eacf1106d7f0201cf0809c24f6add041b9c987d23593ad86ffed055abfb4a83f540baf232c4565d029f9
SSDEEP

12288:2uSDAxcfJ8Zyh4wNGfdAjzoJCiOMx3IUCjOQIcMX:25AxsdhY1Ajy8Mx3IJIZ

Score

10^/10

Malware Config

Targets

- Target
  
  49136 E2K 610622871149136 E2K 6106228711.exe
- Size
  
  804KB
- MD5
  
  e8b61b099af93918a7d59477334471e0
- SHA1
  
  a2ce7a730e96bf6c8f9cd512993fd67cf0c10767
- SHA256
  
  e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb
- SHA512
  
  30b93418d244b71718a7fbf6683c27ac4bc799338f67d915367cb7cb5b93dab661b5b9071f49e055e9701d721ef3e788a0632adc062ecd32d1ffe225712bd855
- SSDEEP
  
  12288:IYgBDMwdNEb40oLhLr1+vuYdCllN9cnUstwbvhz58lZNKXGLfR:IYgB7mINL/vbDci1p2d
Score

10^/10

persistence agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  kigtiqm.exe
- Size
  
  872KB
- MD5
  
  c56b5f0201a3b3de53e561fe76912bfd
- SHA1
  
  2a4062e10a5de813f5688221dbeb3f3ff33eb417
- SHA256
  
  237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
- SHA512
  
  195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
- SSDEEP
  
  12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
Score

3^/10
behavioral3 behavioral4
- Target
  
  xmnxoix.au3
- Size
  
  4KB
- MD5
  
  0d013f6baac0a09a1fb8e14217317503
- SHA1
  
  453fba3488930e98d075946a31e5455b84eed5ba
- SHA256
  
  0a78523b6163a8372ba64e5cc275d68f6582b7ca3a93e3163ad96251cc788d83
- SHA512
  
  05032c4bbdc56992768a87ebaa9a9f43cb9092df401bb61a20673c1bec3a1f3fe4ee7c55c0572ceac9d862538ac765d0e0577cb63424c5edf137f7948feb8ced
- SSDEEP
  
  96:8Qj+oh+0ddn/qEMA98SM/26Ai9qFnOnYPUub2:l+oh+0ddn/KA98//26Ao0Oyry
Score

1^/10
behavioral5 behavioral6