agenttesla

General

Target

a6cd55461ca16e33b153c509417d91eec660cc6d447764c9a312a0ad871ca9c5.exe
Size

1.0MB
Sample

240427-bysl7shb61
MD5

872fc876d25908a93236dcf98e09e3de
SHA1

06da1381d9aaa978ace25c409a59c3d6560975c0
SHA256

a6cd55461ca16e33b153c509417d91eec660cc6d447764c9a312a0ad871ca9c5
SHA512

4f1750c69221ecea05d66a5eb92c2cf821fcc080c3593ac7a3874d7cc9fc8f2ce1d9263329f419cc43188dda09bdbdbb412a5c6bb370aec70a9830588b07d586
SSDEEP

24576:0AHnh+eWsN3skA4RV1Hom2KXMmHaF+CoEFoTiy5:Dh+ZkldoPK8YaF+DH

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.italiacanda-it.com
Port:
587
Username:
[email protected]
Password:
dsrociz1
Email To:
[email protected]

Targets

- Target
  
  a6cd55461ca16e33b153c509417d91eec660cc6d447764c9a312a0ad871ca9c5.exe
- Size
  
  1.0MB
- MD5
  
  872fc876d25908a93236dcf98e09e3de
- SHA1
  
  06da1381d9aaa978ace25c409a59c3d6560975c0
- SHA256
  
  a6cd55461ca16e33b153c509417d91eec660cc6d447764c9a312a0ad871ca9c5
- SHA512
  
  4f1750c69221ecea05d66a5eb92c2cf821fcc080c3593ac7a3874d7cc9fc8f2ce1d9263329f419cc43188dda09bdbdbb412a5c6bb370aec70a9830588b07d586
- SSDEEP
  
  24576:0AHnh+eWsN3skA4RV1Hom2KXMmHaF+CoEFoTiy5:Dh+ZkldoPK8YaF+DH
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2