agenttesla

General

Target

4135f0cde1c903b383f707bee508f1c373d4db1473e9dde44e385e331f6d22e9.arj
Size

646KB
Sample

240430-bm3m2agd8w
MD5

adaa5e7b737546312bc7ce47b265cdb3
SHA1

d4f3f2b6b19a0ab01be4c75c43a6897fb2a4e57c
SHA256

4135f0cde1c903b383f707bee508f1c373d4db1473e9dde44e385e331f6d22e9
SHA512

9eade85bbae4081180c1eeecaf544caa03104131725979cb09900e3a5249de761c8b468044acef3ba84a3cfb18bd9259b22aa2ce8064b79e647062cad604e232
SSDEEP

12288:4QJqkgSSPdTTA3yWEx/nAx2A4OTvmNuY3S9hF3V6cmE1Cxg0J:4QJFJSdTTCrEBAIA4Ozm3iT6jF

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.nationalkham.com
Port:
587
Username:
[email protected]
Password:
kham1234
Email To:
[email protected]

Targets

- Target
  
  FVN001-230824.pdf.exe
- Size
  
  698KB
- MD5
  
  c886350c4259dd843104cd51524770a0
- SHA1
  
  595198caebae2f64c3d008425b782e2d7a5f3c00
- SHA256
  
  36847d6a88e758a4d823a6e100746c1f505678f8c286ddc2e942c2329ccc36ee
- SHA512
  
  e3a7bfe55dab903a28e47be2444ba2b6f68e06602fc28fe0a58fc5d2fd1a045bee5a96eec9f1848a0a221922e91c4b5edd5a0498436916a17ff6c24a04f0056d
- SSDEEP
  
  12288:y+DbgAB778Qe2Y2NW76+Lm+nMO6a4Ti+N5qcQB0omFFUoIglO2+1lyV+Rro7n9m:jgABa+W764t6a4+4LQB0oEFUoIE+1u6k
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2