agenttesla

General

Target

54cd896f8563cb92027b269edede70121aae2d55a07e6b21e5f7dddae11f8a81
Size

304KB
Sample

240524-j7rehaah8x
MD5

394f33b7300eb87ad37160a79d125339
SHA1

a4ba261b1f9a318e3316327333999ce74a16cbf7
SHA256

54cd896f8563cb92027b269edede70121aae2d55a07e6b21e5f7dddae11f8a81
SHA512

e88e8ebf1cb3c5d23d39d21743b54b5e6aa1e17cede0c53a962d454dd3db13ff8fee3fc470ce41d33d42a365aa41b11c4946de4406947e21c49183b8b9c5af9c
SSDEEP

6144:0YydtNM9sAXB4KQ05iYKU01+DKAywHDMMqybaunarm52goEEWbQ:0Y8q/Q5jUrfywHD1qyBvlosbQ

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
tqpas.com
Port:
587
Username:
[email protected]
Password:
Ot939393!
Email To:
[email protected]

Targets

- Target
  
  hesaphareketi-015232024.SCR
- Size
  
  321KB
- MD5
  
  14f0b309c14c5f5e75c9a1d95967318b
- SHA1
  
  baa09246339d936e19328dcca98c527a8af9cb5c
- SHA256
  
  415dc24924ada536128e601b4372a72dd6d6e566e3b49c3c79a5b6dde7b702cf
- SHA512
  
  7e8e8b92b9d3f55a105de154fdb1e468fa3e6bc73c21eef2495ba22ee0522e15dca490b1c1210b83ab2ed876f67c34efcde8ca72375a695ba69d9237ecaa5d30
- SSDEEP
  
  6144:bJHFcDmiIr2baLQ+axLyAPuBthKaOUn1ajxPiFLUunarm5pL5Yzmwn3Wrgmi:hFKmX29+axg48gjxILLvpVE3tZ
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2