agenttesla

General

Target

Invoice.exe
Size

822KB
Sample

240426-lns54adf8y
MD5

df0a67f2a0c162c5a5dee0a8fcd8ab22
SHA1

07981693f5b38fa99a88aca0e13ba5b6022b1465
SHA256

e62255f98543e0bb1abf017af13fd483e1382158021b7edde65fa55c1ad290cf
SHA512

b62ea9a4710dfc855cfd47f2c0cb8787c9ea6b1159387431d1cc70b5989dd59086aaadd62e42fea9b21d28834b6ece20dc1715245762d026e48e315544529f75
SSDEEP

12288:zPqnHvjNIrpf9rN/mc/CQw5PXdFPemY3kI26WE+34DO2IOxzV2SYm9nEix9H82rF:zyPjKr5BNDuXvfY0RfmIkzLNP5rJ

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.starmech.net
Port:
587
Username:
electronics@starmech.net
Password:
nics123
Email To:
godwingodwin397@gmail.com

Extracted

Credentials

Protocol: smtp
Host:
mail.starmech.net
Port:
587
Username:
electronics@starmech.net
Password:
nics123

Targets

- Target
  
  Invoice.exe
- Size
  
  822KB
- MD5
  
  df0a67f2a0c162c5a5dee0a8fcd8ab22
- SHA1
  
  07981693f5b38fa99a88aca0e13ba5b6022b1465
- SHA256
  
  e62255f98543e0bb1abf017af13fd483e1382158021b7edde65fa55c1ad290cf
- SHA512
  
  b62ea9a4710dfc855cfd47f2c0cb8787c9ea6b1159387431d1cc70b5989dd59086aaadd62e42fea9b21d28834b6ece20dc1715245762d026e48e315544529f75
- SSDEEP
  
  12288:zPqnHvjNIrpf9rN/mc/CQw5PXdFPemY3kI26WE+34DO2IOxzV2SYm9nEix9H82rF:zyPjKr5BNDuXvfY0RfmIkzLNP5rJ
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2