agenttesla

General

Target

bc0376206d1c6d33bd9e52dcb81e4f09.bin
Size

332KB
Sample

240417-cam79abh91
MD5

43930ba9f791446a6402a94ebf02a0a8
SHA1

6435cb3fcef2df7f9c81c270c122f8d6695112ba
SHA256

068afe4abdf72f520dd9477cc71766b9453582bf63dab109c7e5e31627585698
SHA512

6bb6225b73b20d872d7b49451a1c6a6efd9a54b74be950fad9eb27ed2bba835e78814f67f77a1922ce5e696d363355b1e6a35bbca08d3183cf7c501c2a4c39cd
SSDEEP

6144:qg70l3nlbB8PMjaoRrx7n17AGG5OKDE4Eaju39WKXvXF5Z:qgS3nh/a2XCOyvjiIKN

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
1.$.#t~cK;4C

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
1.$.#t~cK;4C

Targets

- Target
  
  02fcd974ed295876909c4ab68f5407bb5629649d2e56352ce39911dafa9b09ad.exe
- Size
  
  427KB
- MD5
  
  bc0376206d1c6d33bd9e52dcb81e4f09
- SHA1
  
  4249f90a5b402f4126265681d812097fe71692d6
- SHA256
  
  02fcd974ed295876909c4ab68f5407bb5629649d2e56352ce39911dafa9b09ad
- SHA512
  
  212791a6d7359c28ed2e1ae552770585336fab9c216719cfac8fbd2fd38a8ed197589d33441331ab60d510a7f598684365382397016d7f5f026abb1cbfb99dfa
- SSDEEP
  
  6144:MBi2YE367ONkXCHj0vjObPK2T9wti2GNHZo5JlpeVP/sBG3V+M+2P:Mt4viby2WtYNHy5JQ/5+MPP
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2