agenttesla

General

Target

Curriculum Vitae Catalina Munoz.zip
Size

664KB
Sample

240515-hsm8vsea6s
MD5

b813289b9b9744a681a9c0347e9c46a4
SHA1

41d43780d060f4b89bc1803a7e123ddd6458380b
SHA256

0459d4962d60e779e7a8ae5977a33e935318e0e808c364c08298fee131b8966f
SHA512

d3a933f6cae27afc4eda8756aba4bae5774520fa5bee09729656a5c8c5964c0c6c69c2bb0167ec03eaae104abd63d914f0a3628b51ba79f2f6c154e604ace2b3
SSDEEP

12288:XSnvev/+fcNt/s39/XTEYMAS9S4wlqOTlBVJDhr9RbZ/z+vIadw5XRuuBBnyK0Fo:XSnvevhNBsN/XTEkS9S4wgOTHZTN7qR4

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.claresbout.com
Port:
587
Username:
[email protected]
Password:
fahaF^V7
Email To:
[email protected]

Targets

- Target
  
  Curriculum Vitae Catalina Munoz.exe
- Size
  
  688KB
- MD5
  
  ead6dba8666f0ecf15ae11c6cb67c933
- SHA1
  
  f0576f8930abf5ffae084a53ebdf1fa63af283a7
- SHA256
  
  c3ead2fe3d5d25dcf9c9356368e1608b389eacbc9d3a497015e383da4c44377a
- SHA512
  
  eaabe48d6ea17bb32c9d3e90087394f5fe47f6b08f7d6ce9aad3a3fc2f56d4970ee2da827c10f82c4cc596b01aacd377ca245f49a11a937e59efab14b5355335
- SSDEEP
  
  12288:yxdbCSBLevb+fANBps31/X9UYM8Sju4GlqOhlBVJbhb9RbZzvClXSKdQ3kgPOusT:yxd2SBLevhNjsF/X9UISju4GgOhX9TNV
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2