agenttesla | a31748dd0aa6f53cbfa189bef070a2304e385ef18c0bab5672e039c4a12c41f7 | Triage

Sharing

General

Target

Eurovisioner.exe
Size

548KB
Sample

240503-nat7cafb33
MD5

e90feee8c6994f0cd73a792ea886693c
SHA1

e0c070b38f16693aacc47a0c11e5a0036191b1db
SHA256

a31748dd0aa6f53cbfa189bef070a2304e385ef18c0bab5672e039c4a12c41f7
SHA512

07158b7462c3ca51f0ce5737cab77ea93144105f40117341a6e79624c5ac7492365a85ce724724de9ff845367ebf1b44e061a19410b860699ce349676b0ba707
SSDEEP

6144:h1onKQNqlcuBZB478o/iDx5ux04TcMR5C33BlqS0gGD3WNfX5Slhv2:TozEBTyH/wzuO4TvC33vWgGDGxSl92

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.escolaprofissionaltomar.com
Port:
587
Username:
[email protected]
Password:
*Acnbc232430#
Email To:
[email protected]

Targets

- Target
  
  Eurovisioner.exe
- Size
  
  548KB
- MD5
  
  e90feee8c6994f0cd73a792ea886693c
- SHA1
  
  e0c070b38f16693aacc47a0c11e5a0036191b1db
- SHA256
  
  a31748dd0aa6f53cbfa189bef070a2304e385ef18c0bab5672e039c4a12c41f7
- SHA512
  
  07158b7462c3ca51f0ce5737cab77ea93144105f40117341a6e79624c5ac7492365a85ce724724de9ff845367ebf1b44e061a19410b860699ce349676b0ba707
- SSDEEP
  
  6144:h1onKQNqlcuBZB478o/iDx5ux04TcMR5C33BlqS0gGD3WNfX5Slhv2:TozEBTyH/wzuO4TvC33vWgGDGxSl92
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  3f176d1ee13b0d7d6bd92e1c7a0b9bae
- SHA1
  
  fe582246792774c2c9dd15639ffa0aca90d6fd0b
- SHA256
  
  fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
- SHA512
  
  0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6
- SSDEEP
  
  192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  b5a1f9dc73e2944a388a61411bdd8c70
- SHA1
  
  dc9b20df3f3810c2e81a0c54dea385704ba8bef7
- SHA256
  
  288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
- SHA512
  
  b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
- SSDEEP
  
  96:p7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgNQ3e:lXhHR0aTQN4gRHdMqJVgNH
Score

3^/10
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

agentteslakeyloggerspywarestealertrojan

behavioral3

behavioral4

behavioral5

behavioral6