agenttesla | d861468d7b1fe97305d42cd3aee9b496e2a8e85570e3a5368b8b2ecebf18c45b | Triage

Sharing

General

Target

Centrotus.exe
Size

759KB
Sample

240508-tp8k6scg9z
MD5

ab19781723f4fc95135ea1c4fab2c5ac
SHA1

7667881fc0adcb94eaae71e680d6779581a8a869
SHA256

d861468d7b1fe97305d42cd3aee9b496e2a8e85570e3a5368b8b2ecebf18c45b
SHA512

55743e56af9948f2b657a7eb5a3a324d35fd55bf0537b9d7eec8931004813cef10b1e86d3960806da4e71146c12faa8d8a056154ca1563d2f2e576412842b502
SSDEEP

12288:KmNKDlHyYytPO2G6hqGGHfJWqbTGPObiUB:KmCHCpA6hqbWmV

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cash4cars.nz
Port:
587
Username:
[email protected]
Password:
logs2024!
Email To:
[email protected]

Targets

- Target
  
  Centrotus.exe
- Size
  
  759KB
- MD5
  
  ab19781723f4fc95135ea1c4fab2c5ac
- SHA1
  
  7667881fc0adcb94eaae71e680d6779581a8a869
- SHA256
  
  d861468d7b1fe97305d42cd3aee9b496e2a8e85570e3a5368b8b2ecebf18c45b
- SHA512
  
  55743e56af9948f2b657a7eb5a3a324d35fd55bf0537b9d7eec8931004813cef10b1e86d3960806da4e71146c12faa8d8a056154ca1563d2f2e576412842b502
- SSDEEP
  
  12288:KmNKDlHyYytPO2G6hqGGHfJWqbTGPObiUB:KmCHCpA6hqbWmV
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  e23600029d1b09bdb1d422fb4e46f5a6
- SHA1
  
  5d64a2f6a257a98a689a3db9a087a0fd5f180096
- SHA256
  
  7342b73593b3aa1b15e3731bfb1afd1961802a5c66343bac9a2c737ee94f4e38
- SHA512
  
  c971f513142633ce0e6ec6a04c754a286da8016563dab368c3fac83aef81fa3e9df1003c4b63d00a46351a9d18eaa7ae7645caef172e5e1d6e29123ab864e7ac
- SSDEEP
  
  192:Vm9rQDenC9VrcK7REgSWOprANupQYLRszDDH/d9CWlXo7U6Wxf:QJQEaVAK7R9SfpjpQYLRszfH/d9CWB1j
Score

3^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/nsExec.dll
- Size
  
  6KB
- MD5
  
  3d2adaa3d221fda021e6c08d987bdaad
- SHA1
  
  2e4739d2d1bff8e4c093b913f3f4523ffc977cfa
- SHA256
  
  28ad93c4a8d4357a13c17c615f21a2166984e2a438c1a1c1dd2e1c99d3640b16
- SHA512
  
  294e84892356e2abfbb14f00ad4fd5457dd63a6740bfd0de3457f321eae7807d4b06d2fda81aad1bbf0af4d9188c332c0578f224550d82745bdff03dd370d0f4
- SSDEEP
  
  96:St4Vl/7Lo1UBrob9ljNEUgD7cyuM1x9XkraK2A2KAB5VVDyssKZ:St4Vlw1Iul5J8T1vK20I5VVGsb
Score

3^/10
behavioral5 behavioral6
- Target
  
  Flexibel/Pygalgia/medlever.jad
- Size
  
  2KB
- MD5
  
  18260dbf7014af5adc94692ae0d4150c
- SHA1
  
  ca0b5023c70a3ba59c3892823453ff3c4b1ded2f
- SHA256
  
  119213bd3c56720d9544d46a09f4b699248c9a0b05a83912374e2ead70f9090b
- SHA512
  
  e22c39393db9e92ed89c8a55aa04ee1d1601872c24764a3c3483fa166ebac8a07061e76b25add27a87e84de1f6aa0aa454cf7808704bb7a49e7e1147b4987cb0
Score

3^/10
behavioral7 behavioral8
- Target
  
  Synfuel/Huspil81.asp
- Size
  
  2KB
- MD5
  
  a76bc500b3844f011ff95a1cb9cc980a
- SHA1
  
  4515e0e4fd6fe73011494cd02a26bac9dbe4ce40
- SHA256
  
  c223207b8f1a9ebc4089a99f53865be22631905d1e48ca1c37cd545812cadbad
- SHA512
  
  bc1338a2e941cba3455701fb7bd23ad9e9cfa90d0d538817cbb92498c00c0897185e50566cf9a2f9094dbb6f1030d9937a92d4abe69ba2f3fecf9758aae647fc
Score

3^/10
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslakeyloggerspywarestealertrojan

behavioral2

agentteslakeyloggerspywarestealertrojan

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10