agenttesla

General

Target

ab67341a64bb5e48f68d3d942f96ef10fbc59c118a43ba2dad0c533ffd391be3.exe
Size

1009KB
Sample

240522-cj4atsgh69
MD5

72b1dfb60cae17dc577fa43347f69c41
SHA1

5eeb711eb6ade3532a11443fe10941ab15c47a52
SHA256

ab67341a64bb5e48f68d3d942f96ef10fbc59c118a43ba2dad0c533ffd391be3
SHA512

627e70d818922bc93784f977e6111f5ec5e87da5c6053317854be7de78dfe31d73783a36cae61d1b8e3c2a7b8a5108c2a0a2a06d49f56fd5377556e8d19f9e01
SSDEEP

24576:TAHnh+eWsN3skA4RV1Hom2KXMmHaukON3e7NDR1kt45:eh+ZkldoPK8YauNI7NV1ko

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.gruporequena.com
Port:
587
Username:
[email protected]
Password:
flandealmendra
Email To:
[email protected]

Targets

- Target
  
  ab67341a64bb5e48f68d3d942f96ef10fbc59c118a43ba2dad0c533ffd391be3.exe
- Size
  
  1009KB
- MD5
  
  72b1dfb60cae17dc577fa43347f69c41
- SHA1
  
  5eeb711eb6ade3532a11443fe10941ab15c47a52
- SHA256
  
  ab67341a64bb5e48f68d3d942f96ef10fbc59c118a43ba2dad0c533ffd391be3
- SHA512
  
  627e70d818922bc93784f977e6111f5ec5e87da5c6053317854be7de78dfe31d73783a36cae61d1b8e3c2a7b8a5108c2a0a2a06d49f56fd5377556e8d19f9e01
- SSDEEP
  
  24576:TAHnh+eWsN3skA4RV1Hom2KXMmHaukON3e7NDR1kt45:eh+ZkldoPK8YauNI7NV1ko
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2