agenttesla

General

Target

a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5.vbs
Size

162KB
Sample

240501-b97khadc6v
MD5

4c75fc967ca796d4f8da4128b7bebf70
SHA1

8211cb066cda8aa6cfd62d39b6ccd45254d68916
SHA256

a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5
SHA512

5d440d6b5ced3b364c2a1cd7380cdc89d2d5d8220bcb504ab1f2f1b66e0a0c42dfac02a22f3ba041b4a6faf58d5810817759943b49566b0e362d200dd9cb55c1
SSDEEP

3072:tvHpcPqzeEihOHbeM8fTSrnSRFHJnB/nRT/PRoFPAeRoFeO3RMpY:t6PqzeEiheeM8fTSrnSRFHxBvRjRoFPa

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
wong232376@gmail.com
Password:
vknk bnwz oyuc ljbp

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
wong232376@gmail.com
Password:
vknk bnwz oyuc ljbp
Email To:
wong232376@gmail.com

Targets

- Target
  
  a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5.vbs
- Size
  
  162KB
- MD5
  
  4c75fc967ca796d4f8da4128b7bebf70
- SHA1
  
  8211cb066cda8aa6cfd62d39b6ccd45254d68916
- SHA256
  
  a4dd485c93929dbeb0e6fd056e60aba8211005c76e97c581fc87875b6e3703c5
- SHA512
  
  5d440d6b5ced3b364c2a1cd7380cdc89d2d5d8220bcb504ab1f2f1b66e0a0c42dfac02a22f3ba041b4a6faf58d5810817759943b49566b0e362d200dd9cb55c1
- SSDEEP
  
  3072:tvHpcPqzeEihOHbeM8fTSrnSRFHJnB/nRT/PRoFPAeRoFeO3RMpY:t6PqzeEiheeM8fTSrnSRFHxBvRjRoFPa
Score

10^/10

agenttesla wshrat keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- WSHRAT payload
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2