agenttesla

General

Target

5e55822bd00aac0865436cac6f7a6a8f881cd3ce027474a5b741f43a94c84095.exe
Size

794KB
Sample

240529-bv4v3acg71
MD5

54799fee84c11edd9e0b221612bf2631
SHA1

bfbdc60eb14ca180b2143f3a16d38d73cf9126f5
SHA256

5e55822bd00aac0865436cac6f7a6a8f881cd3ce027474a5b741f43a94c84095
SHA512

a903c9b729eabe05e258cc026e01539f22cd9dc98d625b8ccbfbf5900fafc5acaf063d01f9a7bd0d0be84890bd30fb85f23cce9006f65f86d4b8460ab2dafd08
SSDEEP

12288:qDuADVUI0AHCfFmcLnlVfmJ0j74NAJgOlMm0VqLxhlOaGkw:qTKGifFHlV+K74NugOlw4Lxhfu

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.officeemailbackup.com
Port:
587
Username:
[email protected]
Password:
*L_n.e3}D?ky
Email To:
[email protected]

Targets

- Target
  
  5e55822bd00aac0865436cac6f7a6a8f881cd3ce027474a5b741f43a94c84095.exe
- Size
  
  794KB
- MD5
  
  54799fee84c11edd9e0b221612bf2631
- SHA1
  
  bfbdc60eb14ca180b2143f3a16d38d73cf9126f5
- SHA256
  
  5e55822bd00aac0865436cac6f7a6a8f881cd3ce027474a5b741f43a94c84095
- SHA512
  
  a903c9b729eabe05e258cc026e01539f22cd9dc98d625b8ccbfbf5900fafc5acaf063d01f9a7bd0d0be84890bd30fb85f23cce9006f65f86d4b8460ab2dafd08
- SSDEEP
  
  12288:qDuADVUI0AHCfFmcLnlVfmJ0j74NAJgOlMm0VqLxhlOaGkw:qTKGifFHlV+K74NugOlw4Lxhfu
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Detect packed .NET executables. Mostly AgentTeslaV4.
- Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
- Detects executables packed with or use KoiVM
- Detects executables referencing Windows vault credential objects. Observed in infostealers
- Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
- Detects executables referencing many email and collaboration clients. Observed in information stealers
- Detects executables referencing many file transfer clients. Observed in information stealers
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables packed with or use KoiVM

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2