agenttesla

General

Target

8e9fea5458c969eaf662771d87e2e9d2487e904e5dbeea5d90fc7e44369c3f95.exe
Size

593KB
Sample

240409-b51amaae82
MD5

3cb7a144c3a7d35a77044c167749f84d
SHA1

23e83390e052b0ce98e5446768a18cf06669b57d
SHA256

8e9fea5458c969eaf662771d87e2e9d2487e904e5dbeea5d90fc7e44369c3f95
SHA512

09b7b80dcea62ad01e7338ff2ff37f24938457994f93658ddc9d10c4b8b847da7dc67f6f647821ced3ad4f2277f291ffc7510ade550001f30d88327bf8ae4035
SSDEEP

6144:LoGzI1X9PZVheNA+ff0RUt3vCKIH2nqoejh4q/tjkshlTqleM97CtzrwalKI8J2x:LbSnhe2eGUt/jnqrZ1hlTpMVklxVtqev

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.melanopharma.com
Port:
587
Username:
[email protected]
Password:
melano@2022
Email To:
[email protected]

Targets

- Target
  
  8e9fea5458c969eaf662771d87e2e9d2487e904e5dbeea5d90fc7e44369c3f95.exe
- Size
  
  593KB
- MD5
  
  3cb7a144c3a7d35a77044c167749f84d
- SHA1
  
  23e83390e052b0ce98e5446768a18cf06669b57d
- SHA256
  
  8e9fea5458c969eaf662771d87e2e9d2487e904e5dbeea5d90fc7e44369c3f95
- SHA512
  
  09b7b80dcea62ad01e7338ff2ff37f24938457994f93658ddc9d10c4b8b847da7dc67f6f647821ced3ad4f2277f291ffc7510ade550001f30d88327bf8ae4035
- SSDEEP
  
  6144:LoGzI1X9PZVheNA+ff0RUt3vCKIH2nqoejh4q/tjkshlTqleM97CtzrwalKI8J2x:LbSnhe2eGUt/jnqrZ1hlTpMVklxVtqev
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Paleolimnology/ansgningsfristernes/Dishonorables/Sweety64.Sch
- Size
  
  61KB
- MD5
  
  e5c2dca2119f3e664238f0f51539dbb5
- SHA1
  
  24fc5d8ac634d19acafbf78852482014c052f996
- SHA256
  
  b3f8b29f9da552c657a02fbadad0745e365ea1d548fe22ddbfb3e9450eb29837
- SHA512
  
  458178c3e2f344a9f28a505c870667d5f3387c7cdd0b6cde22ff428e460b2d433f2653b7516fc5698837e41a635e31f2f59564a33631e938b0801749c6f7b7a6
- SSDEEP
  
  1536:wOnRUJt1Yo/oPn0xI1lp85xiLpcdL/mJf7RUw++4:eJt1Yoh+zgwpKKJdb4
Score

8^/10

persistence
- Modifies Installed Components in the registry
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4