agenttesla

General

Target

1301dd3fb7afbea695c0d81ca9016ddb9b0090ee3c51717a6b8b7e4206ad0208.exe
Size

755KB
Sample

240522-rm6mpaeb36
MD5

8e04b44c3b8b8a8b6cdca6908dd8e4c3
SHA1

33100246c5c088d7d4972a36752dbc840427c496
SHA256

1301dd3fb7afbea695c0d81ca9016ddb9b0090ee3c51717a6b8b7e4206ad0208
SHA512

c3e5f1cb43c34060c33be4a07b37e4a82b9587240a2545c42ac6f7b3e720181194769f6ae518990ea4a0e8f80694b50822c934fc14c6b60eff0c87d8b40ecbdf
SSDEEP

12288:VI/WET/mr9K+22BEEzFatnnFsaAKhtSXOonGusHHsmVeS1vowVqh3Bh/ErM2SqlC:sWtb3BE5OaAKDWGuKsOeS1O3BlsM2SPF

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://eu-west-1.sftpcloud.io
Port:
21
Username:
91687a7459034251bf46decf042c73b6
Password:
TT70ddky2yNKGpkX1I1OBsDlEcGIaUsv

Extracted

Credentials

Protocol: ftp
Host:
eu-west-1.sftpcloud.io
Port:
21
Username:
91687a7459034251bf46decf042c73b6
Password:
TT70ddky2yNKGpkX1I1OBsDlEcGIaUsv

Targets

- Target
  
  1301dd3fb7afbea695c0d81ca9016ddb9b0090ee3c51717a6b8b7e4206ad0208.exe
- Size
  
  755KB
- MD5
  
  8e04b44c3b8b8a8b6cdca6908dd8e4c3
- SHA1
  
  33100246c5c088d7d4972a36752dbc840427c496
- SHA256
  
  1301dd3fb7afbea695c0d81ca9016ddb9b0090ee3c51717a6b8b7e4206ad0208
- SHA512
  
  c3e5f1cb43c34060c33be4a07b37e4a82b9587240a2545c42ac6f7b3e720181194769f6ae518990ea4a0e8f80694b50822c934fc14c6b60eff0c87d8b40ecbdf
- SSDEEP
  
  12288:VI/WET/mr9K+22BEEzFatnnFsaAKhtSXOonGusHHsmVeS1vowVqh3Bh/ErM2SqlC:sWtb3BE5OaAKDWGuKsOeS1O3BlsM2SPF
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

2

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2