agenttesla | 237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1 | Triage

Sharing

General

Target

237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1
Size

666KB
Sample

240523-b7wp8ahd82
MD5

a6bc6bce06415a0e0521552c83a1a056
SHA1

78ac06f9b255cd527a81acf5f2a58730fb1f7240
SHA256

237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1
SHA512

f9ca3ad37732c05cbcf0d00581b87829d9381c18dbbc6798592cf3856513fa7e914f3c3a184efae60bbee76d743c3f4478592cd0d0da89f500c975d0299c6be5
SSDEEP

12288:Sn2vyqCT693Ax2LFJ3xoUM7NilLv912x8o/+BE/7orHrAB5mej4s:SiPCT69Qx2hBx47aPoTSEjOHrA/y

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ap-northeast-1.sftpcloud.io
Port:
21
Username:
d6b6a1a5e9a949a5971882ecf02f4af1
Password:
TsJVvHLXmBg0sjpz7yDI98OWAVbgfcmY

Extracted

Credentials

Protocol: ftp
Host:
ap-northeast-1.sftpcloud.io
Port:
21
Username:
d6b6a1a5e9a949a5971882ecf02f4af1
Password:
TsJVvHLXmBg0sjpz7yDI98OWAVbgfcmY

Targets

- Target
  
  237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1
- Size
  
  666KB
- MD5
  
  a6bc6bce06415a0e0521552c83a1a056
- SHA1
  
  78ac06f9b255cd527a81acf5f2a58730fb1f7240
- SHA256
  
  237331785cd2b1cd6dd2796c5b8494a6ba523f19b1236366bb58e46fe301c4f1
- SHA512
  
  f9ca3ad37732c05cbcf0d00581b87829d9381c18dbbc6798592cf3856513fa7e914f3c3a184efae60bbee76d743c3f4478592cd0d0da89f500c975d0299c6be5
- SSDEEP
  
  12288:Sn2vyqCT693Ax2LFJ3xoUM7NilLv912x8o/+BE/7orHrAB5mej4s:SiPCT69Qx2hBx47aPoTSEjOHrA/y
Score

10^/10

agenttesla execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaexecutionkeyloggerspywarestealertrojan

behavioral2

agentteslaexecutionkeyloggerspywarestealertrojan