agenttesla

General

Target

acb944b1e95d034509236638d3f794be.bin
Size

675KB
Sample

240425-ccxjpsdc32
MD5

1b67b9721e4674cab16b7892ac7f4a74
SHA1

d02392f9234d732d32a32e980a1f168eca6d901f
SHA256

bcc3f084ead4dde162229de1b25d935c0624c6a8316c220cc059fd025be4fd08
SHA512

8b2d874dcf46c23aa3bab348b6789df9b56874714327aecca0836a3612e123def2d2a6969d0ba03472d5599cca93f05f1153fb390a7b5f34545f0fa2679cf9f5
SSDEEP

12288:u7/KgbSQIi+jtqQVqUXrpXO3InqA1dE+/Y9jwk20wGOf7Mk9lYbA9+kzh:4/PbS+3WpVqMu+/S0kQGOfwXA8kt

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.rusticpensiune.ro
Port:
21
Username:
[email protected]
Password:
99AM}+NZ&CCq!4Vq)9!(zXx01.lQ!~nS.fBnY,4Z~fjHnGo*B3Gd;B{Q1!%-Xw--%vn^0%nt

Targets

- Target
  
  SC_ADACONI_N.24040122PDF.exe
- Size
  
  1.1MB
- MD5
  
  2a793bfa3d22c67153842279520b366c
- SHA1
  
  953fe50e20ef01e1afbc8112f7e1d6167646083b
- SHA256
  
  de9d7a5b1df10e151659a0867c4c7004ff4f023acdb9071f88b0939c1cb37dea
- SHA512
  
  76c3e3c4e576eb5f3cb1549e64652156776b54e29e2b32d24075301cbda89b8f45071ad7e307f201cf60f83bf690b53343d8f2399ddaf7d61ed6ca4b967a6df5
- SSDEEP
  
  12288:xx7SXc87X+bXPXST4Fof1XUhJePHq3EdfX4xw5cRK5JNHrU32YWrM9uOAHnVRS3h:rSXcH/X4yBevq0dAxnRK4iA9ga
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2