agenttesla

General

Target

5021036673.exe
Size

461KB
Sample

240521-pz3epaec54
MD5

3b7ef5232e11bd43c48fbbcbaada35ab
SHA1

04c1003f6611b769fc7f900d404ac90d550a12ac
SHA256

8476500f6ecba15ee6e50f37c34bf2ccdd4790b42d0a44737d2626dcaa0e2449
SHA512

ef397e10b854bc6ba465717ef7686de5caab0fdd81b8758c89764cdba5e3b058d621562fac2bc3dd59d89e59e44579029b2cc21013bff691b0f88cb72665b9df
SSDEEP

6144:DVwYYaG3c+iS3oBIOokpsEjb2SfjNhuthxCCfBjhpH3565Xnnz/84DP7/V:r+bOxpsUiS7TutDCVF

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
66.29.151.236
Port:
587
Username:
[email protected]
Password:
s9jjoVvaZchS
Email To:
[email protected]

Extracted

Family

nanocore

Version

1.2.2.0

C2

94.156.68.219:2323

Mutex

687022d0-91f8-4a5a-bf22-c3a2c043d015

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-03-02T10:05:36.450504536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
2323
default_group
21may04
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
687022d0-91f8-4a5a-bf22-c3a2c043d015
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
94.156.68.219
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Credentials

Protocol: smtp
Host:
66.29.151.236
Port:
587
Username:
[email protected]
Password:
s9jjoVvaZchS

Targets

- Target
  
  5021036673.exe
- Size
  
  461KB
- MD5
  
  3b7ef5232e11bd43c48fbbcbaada35ab
- SHA1
  
  04c1003f6611b769fc7f900d404ac90d550a12ac
- SHA256
  
  8476500f6ecba15ee6e50f37c34bf2ccdd4790b42d0a44737d2626dcaa0e2449
- SHA512
  
  ef397e10b854bc6ba465717ef7686de5caab0fdd81b8758c89764cdba5e3b058d621562fac2bc3dd59d89e59e44579029b2cc21013bff691b0f88cb72665b9df
- SSDEEP
  
  6144:DVwYYaG3c+iS3oBIOokpsEjb2SfjNhuthxCCfBjhpH3565Xnnz/84DP7/V:r+bOxpsUiS7TutDCVF
Score

10^/10

agenttesla nanocore evasion keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- NanoCore
  NanoCore is a remote access tool (RAT) with a variety of capabilities.
  keylogger trojan stealer spyware nanocore
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2