agenttesla

General

Target

967e07ed35fc477b00fe777c8bd4f5e7ead02d2581987bb75f6386a485799078.exe
Size

1022KB
Sample

240524-bx7pqsgf44
MD5

a09a09c68544d2bb8dfc72f93a3f5291
SHA1

2731e2f42310b2b9114a43778f18455a4fe78bb9
SHA256

967e07ed35fc477b00fe777c8bd4f5e7ead02d2581987bb75f6386a485799078
SHA512

82f59bacfb64548b1d929f7cfe394e56a49892060e23c1dd26229d025157a73da56715fd4ca34c4384f2e094d4b997fcf039a53506d8120a56cd14b424936dc1
SSDEEP

24576:BAHnh+eWsN3skA4RV1Hom2KXMmHad4d2s6fIo3oHi5:Yh+ZkldoPK8Yadzs6fd

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.elquijotebanquetes.com
Port:
21
Username:
[email protected]
Password:
-GN,s*KH{VEhPmo)+f

Targets

- Target
  
  967e07ed35fc477b00fe777c8bd4f5e7ead02d2581987bb75f6386a485799078.exe
- Size
  
  1022KB
- MD5
  
  a09a09c68544d2bb8dfc72f93a3f5291
- SHA1
  
  2731e2f42310b2b9114a43778f18455a4fe78bb9
- SHA256
  
  967e07ed35fc477b00fe777c8bd4f5e7ead02d2581987bb75f6386a485799078
- SHA512
  
  82f59bacfb64548b1d929f7cfe394e56a49892060e23c1dd26229d025157a73da56715fd4ca34c4384f2e094d4b997fcf039a53506d8120a56cd14b424936dc1
- SSDEEP
  
  24576:BAHnh+eWsN3skA4RV1Hom2KXMmHad4d2s6fIo3oHi5:Yh+ZkldoPK8Yadzs6fd
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2