agenttesla

General

Target

a1c90612e171679cdf3fc4aad3872a80a782e2cfee64b53a631cea435e947a81
Size

775KB
Sample

240425-c2klfadf99
MD5

324796af926f8e32ccecd40e77676a0c
SHA1

fa0bbffc6422f42395a323b49cc4752c5553c635
SHA256

a1c90612e171679cdf3fc4aad3872a80a782e2cfee64b53a631cea435e947a81
SHA512

35ad6f8612dd7a988ec7588eeae2e00c52a39ab5e5cf305f2de451bc531d479634da04e5442f88077801425ebdfa62d0a7f9977d11a1a54b5e75ba9104f7ac0a
SSDEEP

24576:IF197Eaz2h/PVI+Jiu/CNchPJ312ZUY5:O77Eaz2lVI+JZCNKJl2j

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://eu-west-1.sftpcloud.io
Port:
21
Username:
64c972c69bef4d24b6a8140c66c10f0a
Password:
2S39TYnNmuLXjVyhLq8dhVRX7Wul6UwJ

Extracted

Credentials

Protocol: ftp
Host:
eu-west-1.sftpcloud.io
Port:
21
Username:
64c972c69bef4d24b6a8140c66c10f0a
Password:
2S39TYnNmuLXjVyhLq8dhVRX7Wul6UwJ

Targets

- Target
  
  a1c90612e171679cdf3fc4aad3872a80a782e2cfee64b53a631cea435e947a81
- Size
  
  775KB
- MD5
  
  324796af926f8e32ccecd40e77676a0c
- SHA1
  
  fa0bbffc6422f42395a323b49cc4752c5553c635
- SHA256
  
  a1c90612e171679cdf3fc4aad3872a80a782e2cfee64b53a631cea435e947a81
- SHA512
  
  35ad6f8612dd7a988ec7588eeae2e00c52a39ab5e5cf305f2de451bc531d479634da04e5442f88077801425ebdfa62d0a7f9977d11a1a54b5e75ba9104f7ac0a
- SSDEEP
  
  24576:IF197Eaz2h/PVI+Jiu/CNchPJ312ZUY5:O77Eaz2lVI+JZCNKJl2j
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2