agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

7f7e9c4eda4a83d113cc932cbe3ea3df1b73970885492ba441dc07f249ac02a1
Size

11.1MB
Sample

240406-bh5a3agg25
MD5

296e8f5984287be6a99442f747f1f539
SHA1

37bb03b4f4c7a25845c66095a6d233e722c53e0b
SHA256

7f7e9c4eda4a83d113cc932cbe3ea3df1b73970885492ba441dc07f249ac02a1
SHA512

8dfd7451731de7702a6e9591d308395b9c85b95e9ddc4ac08d27038a1b48ff5d176356d72eb7272d4bbdd3cfe46e658ae87061c3d120059e531341a8414fdfad
SSDEEP

196608:Z+NnEQylWX30ZLFdTHyx4qfcFfABjLGowHc2yWQQuf72wTeRaViKTBxKViLDuQuT:EEQylW0Z/Syqf6IBgRwpf72wTeRaUVoW

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.hoangtruongphat.com
Port:
587
Username:
[email protected]
Password:
hoangtruongphat818
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.hoangtruongphat.com
Port:
587
Username:
[email protected]
Password:
hoangtruongphat818

Extracted

Credentials

Protocol: smtp
Host:
mail.sintecno.gr
Port:
587
Username:
[email protected]
Password:
nDoTaIty%Il8

Targets

- Target
  
  15b6539b5d7bee782f040800d36f7f4a1f066f68377b8cf72be88fcf09509ddf.elf
- Size
  
  48KB
- MD5
  
  17cbf330bd77ea7c64b2f773bfb431f6
- SHA1
  
  b25c22e73f69dd4289587765e0c8547f2413cd16
- SHA256
  
  15b6539b5d7bee782f040800d36f7f4a1f066f68377b8cf72be88fcf09509ddf
- SHA512
  
  5d018134c8c804c64ec3beb143f40c59e73af5d1ef3198845761699b96a0d67cb566257a567a4b852c907146c1b204679f1343a285ba4ac28a45cdd1c95cbebf
- SSDEEP
  
  1536:7k8r57Ml1CV3zefih8xpVhiL8oeQ3YcYV5:YA57r3zdh8xpTtKZYV5
Score

7^/10
- Changes its process name
- Flushes firewall rules
  Flushes/ disables firewall rules inside the Linux kernel.
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
- Writes DNS configuration
  Writes data to DNS resolver config file.
behavioral1
- Target
  
  27bd1b526e61d1c226e8ab83982a560acce30922245b7f20c4e2fbd60cf8c097.elf
- Size
  
  47KB
- MD5
  
  cce2bea605b6a3bc5305f7d7e658ae7f
- SHA1
  
  94f073b7c34daeccb1cee41df32d9277f0853bf9
- SHA256
  
  27bd1b526e61d1c226e8ab83982a560acce30922245b7f20c4e2fbd60cf8c097
- SHA512
  
  f9aae86d7f5176ee34d9d32ca31271ddbbae6b53ac04a6e2446c366f11d6f2f6ddeb00d2351d6691ba51034d9ba3923c2fa130c282428654ac7d48df6543dfec
- SSDEEP
  
  768:WKqS/RCs+idKVm2iBxsC/38o1JsKJGFwVuhCQaIgO5QJAgWnOoeBIIwbROPEUGJY:WJ8RCs+idumRBxr8oDWFMJXgJgWBeBjt
Score

7^/10
- Changes its process name
- Flushes firewall rules
  Flushes/ disables firewall rules inside the Linux kernel.
- Modifies Watchdog functionality
  Malware like Mirai modifies the Watchdog to prevent it restarting an infected system.
- Writes DNS configuration
  Writes data to DNS resolver config file.
behavioral2
- Target
  
  6fd8e845cfa1bf8f809f0f372c2d4e955c6a3b6c0e88fb8f474a2645f587ecf0.exe
- Size
  
  677KB
- MD5
  
  71be9f51632e4bed46fbcddb42abeec3
- SHA1
  
  1d6190e891027b1b80a58b8680a1bd508d8a8932
- SHA256
  
  6fd8e845cfa1bf8f809f0f372c2d4e955c6a3b6c0e88fb8f474a2645f587ecf0
- SHA512
  
  b27d8bf2f4935ae43e3bd3ec743054da5af74502a6bc41dee5ab061ddc1e06a95e80f19500fbb31531957f1c2edfd284f96d49ef793c8bff160e98d0ce536c1b
- SSDEEP
  
  12288:CuUHqk0Au1p5AVSbzDzAGlV9C9mqiZVzfo8Ps7pI6Zl9vnEiAJtXJJvJn3Gfgk/:4HJ0AMX3DzdkivzvPs7pIIPn5S
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  704427aa451d261a1a92a6e834a1ee2be50971a012e711f9f660403904a9622c.exe
- Size
  
  610KB
- MD5
  
  42ccbe82ed5e8371bb22119c15839d2f
- SHA1
  
  59aca10355bdda9c5461d283d62e4df67085ee34
- SHA256
  
  704427aa451d261a1a92a6e834a1ee2be50971a012e711f9f660403904a9622c
- SHA512
  
  8926d9e7d26129974b1f9698be311743e00d2be1b20b38caff52e137f2b3cab3ecd30609be75383a55631e06ae1fef19bae9c91555e010f333c11ef2a6457c8b
- SSDEEP
  
  12288:/8UHiWHJRBDgJVQoha02CXwS3UlA3osCymrW2rvk:bHzHDBDyQoFEGojymrvv
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  7e0ce70b001b96a73da04175076a1f60b46eac72c208813654dfd94359c81b27.exe
- Size
  
  3.1MB
- MD5
  
  177ec4bae66f4c52caec00c3a2821b07
- SHA1
  
  abcc6871fc4fda0e8c132350e1305ecf2caa23b6
- SHA256
  
  7e0ce70b001b96a73da04175076a1f60b46eac72c208813654dfd94359c81b27
- SHA512
  
  e82cee168f9762a1c836b56c0d13622d443f4a6be21f477876700cc07d3b6d78679d1ab91da07be9a646cbef879e930afc111fe6402e4c0a54fb03679d8d3a41
- SSDEEP
  
  49152:3RBx8YWn/sSkSnvekD0hk3mCPHZQTo4awuqV:3R0BlR3mC0l
Score

7^/10

spyware stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral7 behavioral8
- Target
  
  borlndmm.dll
- Size
  
  21KB
- MD5
  
  0cf6c24c611c58fe8b85da545dd68364
- SHA1
  
  b9b6dfef551b2880b7f1b6b53fa453df888de582
- SHA256
  
  1c7ff99399a59491c7c016681ef3be2890dce818c3d6ccf2f18d27f2eeb3ace9
- SHA512
  
  63770629bdea43d0676d39a069b76c991e76b539bf752dcd3d82220974e120c2dec27a55811984d6ae77be6b987c5a83420fd990e467f6fe5337864c57183830
- SSDEEP
  
  384:QCRM84hqhwKaBszhPIOeR1zwe6Lq2++qQJw6OzVjEu:Qb84hqh+BszhneoqnQO5VR
Score

3^/10
behavioral10 behavioral9
- Target
  
  dbghelp.dll
- Size
  
  6.5MB
- MD5
  
  eb6d15d7d63e18c2400f7f6967680e58
- SHA1
  
  e6dcf1050ef8781000d374bcad78f4f25cad1d09
- SHA256
  
  0b8db5f6a7297966e9c557ce5eba1f00d598adec578ed3c7d774c0e4cf12692b
- SHA512
  
  34a47fe0744a45b997502c289b85e8342d8b9fd2adeb8b7f53740a588640e7c213ae1ef73e80d63302074052e63570bc284493c47d5dcd76ce7961382702ccb9
- SSDEEP
  
  98304:ZKttZRC6bkH0RFDyPl1KyE+tOtq/o5TgCFy:ZuWHw7+otqABgC
Score

3^/10
behavioral11 behavioral12
- Target
  
  jesus.exe
- Size
  
  795KB
- MD5
  
  9b7d6eff018883dc951a4fb5a1418a93
- SHA1
  
  2a1a5d7c85560924edc434a1d2f23ed3445d86f4
- SHA256
  
  9f33291224985b73c145d6154bc97bb92964f61d3fd9ac7a7f072a96447e9b3c
- SHA512
  
  c705c35a82e7e82e4ec0f6e1c177aa36a64a254e6655d7192ffed7252d0ed0e911b390e7002e6b70bc3e71f27eb94b95063bd7e2f5707cc37470785fd1fd0540
- SSDEEP
  
  12288:7UtGzpcrkBSJvSiEVI1w/N6dm5kKm8J/ApHa+ig2JqYxdPPGDNnYL/WctM:7UtVoWSiEa1wEdrY+ig2HFGKaJ
Score

6^/10
- Checks for any installed AV software in registry
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Program crash
behavioral13 behavioral14
- Target
  
  libeay32.dll
- Size
  
  1.3MB
- MD5
  
  1f3d6ea5e7dab4126b5315261785408b
- SHA1
  
  5a138f31b36fa689f783bb1325a34566fa725865
- SHA256
  
  fc66f65545e6f8d875e82509bcb4ed4bd3df1869734d8f4fd206c9b7e8726499
- SHA512
  
  d37237baf8d0054c87b303758941e7180fcd40b63dea44c3e66c3e0d9bf9d23f8ea0bb47dd7cb0edb73c56e471c71520d9aaf8bbc36850e6a6ffd45bc794af48
- SSDEEP
  
  24576:47pG+KpPqMxEvaVU5nXfVI4pn6GDgq5jUcKQHgpoWqYCSd1EXE:1Sc8lX9zp6GMYj5HgpoWqYCSd1EXE
Score

1^/10
behavioral15 behavioral16
- Target
  
  ssleay32.dll
- Size
  
  328KB
- MD5
  
  a71bb55be452a69f69a67df2fe7c4097
- SHA1
  
  d2ab6d7acf2647827155d9bd3d9d4eca57eb2fce
- SHA256
  
  ff6c7f1c9dcff3b3a90cf57a9b4341dda0d76adb9e8667b4a3f75e15a2b7a832
- SHA512
  
  d0f7342266d9f9fa34b47564181a169dcf3fb518406f418bf0622c0e1ed5d849fa4c7816c0fe1542fc41e266bf3182ed2ffa49ac8247054a0b60f96b2ba4661a
- SSDEEP
  
  6144:dLO38jiCYCDntquD5aaQn4jQiA/EhNmYDn2J8mZaEZn3WIV/Yx0w1kFvm8ZHValx:ZO38jiCYCDntquDbQn4jQiA/EhNPT2Jy
Score

1^/10
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Changes its process name

Flushes firewall rules

Modifies Watchdog functionality

Writes DNS configuration

Changes its process name

Flushes firewall rules

Modifies Watchdog functionality

Writes DNS configuration

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

AgentTesla

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops startup file

Reads user/profile data of web browsers

Checks for any installed AV software in registry

Looks up external IP address via web service

Program crash

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18