agenttesla

General

Target

NEG-S16-20.xslx.lzh
Size

626KB
Sample

240523-dmvnjabh54
MD5

4f2003d9dedabb95895f06e41f1f139d
SHA1

ea54020f029142273eefefff06c952155cd51403
SHA256

416157183d15aabc842eaa886a699f35bf9522296a0bdf7912e0f2bb44447c8c
SHA512

8a55edc5f854b991d3068ff65df65495159a01b2a35431b5a24c65a4bafa012397a17bfa3568b57d284bdc9b53b23166f39160951f9157564d930efa6dda609f
SSDEEP

12288:TQPXzTuNcSifbRJN/gXPZKfpi0So4LDaumh1FECZhNUFAf2sEN3wM62ZuT0nl:2eNs71UPArp4Xmh1FECiihEN3Pugl

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://beirutrest.com
Port:
21
Username:
[email protected]
Password:
9yXQ39wz(uL+

Extracted

Credentials

Protocol: ftp
Host:
beirutrest.com
Port:
21
Username:
[email protected]
Password:
9yXQ39wz(uL+

Targets

- Target
  
  NEG-S16-20.xslx.scr
- Size
  
  886KB
- MD5
  
  deffa6528aa8ecf6e6f581ee41953497
- SHA1
  
  acabd0b4f33c676e5152dacd0797a06c23bb98a4
- SHA256
  
  bf5514d335e4930fc83a96c80379f37a04c3d7db5ce541de244f0a6dc0116a29
- SHA512
  
  182b82c793b55b8737edd81a66f854b965d116e964c62de5b0b3b594774037aa99f8a21adc42cb1ff63e157c5a7bc44b799b28425acba63d7ff3454ac8546b3b
- SSDEEP
  
  12288:/8vNAZt4fQ+foATEJyFkUtbrAllCHEhEFcu2WAPy:/8lkt4fzfhtkNfCoEuu2z
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2