agenttesla | 33a3d38b3803fcd07ab89627453e7c55b03cfe8c6dcaad4b35c679098e8a6f28 | Triage

Submit
Reports

Overview

overview

Static

static

3

Pago.exe

windows7-x64

Pago.exe

windows10-2004-x64

Sharing

General

Target

634d02b9be17db24e638c8ee7ec5a640_JaffaCakes118
Size

1.2MB
Sample

240521-ppldesdg91
MD5

634d02b9be17db24e638c8ee7ec5a640
SHA1

fbab0e0ea4e390dbec02e956996c62f54d05d139
SHA256

33a3d38b3803fcd07ab89627453e7c55b03cfe8c6dcaad4b35c679098e8a6f28
SHA512

a3ecbe281c9a731ec44c197b76ef293db48ea77838985cfcac6471e3cf0ebd49e25ac02f4d294eaea2492811693753468d4fa66863e9b4bc42556bca3865dd84
SSDEEP

12288:OILPtvuLRSkpGDgXXt9thbzWuPIxHobepLzF0sht5UXmiUQB:NLPNAo2OgHt9thbzWuP1bexF0sI

Score

10^/10

agenttesla collection keylogger spyware stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

Pago.exe

Resource

win7-20240215-en

agenttesla collection keylogger spyware stealer trojan

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

Pago.exe

Resource

win10v2004-20240508-en

agenttesla collection keylogger spyware stealer trojan

windows10-2004-x64

15 signatures

150 seconds

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
[email protected]
Password:
princehero1234

Targets

- Target
  
  Pago.exe
- Size
  
  487KB
- MD5
  
  a528672b089d077f76a71e5a42b043e5
- SHA1
  
  006fe87dddcb4e3afa0b17f2881807c9c3ba13d1
- SHA256
  
  780a88c79396f2df8841cf5f66f6807402e45b1db65e20f10d6814e6300cf8f5
- SHA512
  
  5019448cd719661f7186babddf07d29200838eaa5e68f8d429ad95d8579ed53782c0bee530f14037ba34887ea316a7a87cada24ecfb0b63db7ab37d7fe510e09
- SSDEEP
  
  12288:aILPtvuLRSkpGDgXXt9thbzWuPIxHobepLzF0sht5UXmiUQB:hLPNAo2OgHt9thbzWuP1bexF0sI
Score

10^/10

agenttesla collection keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslacollectionkeyloggerspywarestealertrojan

behavioral2

agentteslacollectionkeyloggerspywarestealertrojan

© 2018-2024

Terms | Privacy