agenttesla

General

Target

33ffafc42576d24e6ccb7917a9f5e0f073ca1df9ce70c1a0af48a82bb63f0117
Size

19KB
Sample

240612-bn23wsxdrh
MD5

6a31128c19807fc52a90780dd7016ab3
SHA1

db8a662e197c954341458a671d7fd19050aa24e4
SHA256

33ffafc42576d24e6ccb7917a9f5e0f073ca1df9ce70c1a0af48a82bb63f0117
SHA512

0f6ff235b195671e5d1d0a63cade60f1cc662c7ee6a4f9e6e47c9ca60f01f3479e51a2e4c49635f8d2055edda968e46827833eff857520449147a8b7107dc9a0
SSDEEP

384:XDNGjDFYTk5CGbvi6zmYXg6EYsYiPKRxw+v2dugB3QUnwK6kNgCo:zNS6TAp9jpsYiStudugBtz6kPo

Score

10^/10

Malware Config

Extracted

Family

purecrypter

C2

http://161.129.66.18/Yxnbi.wav

Extracted

Credentials

Protocol: smtp
Host:
mail.hazengineering.com
Port:
587
Username:
[email protected]
Password:
Hazmuh59!*

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.hazengineering.com
Port:
587
Username:
[email protected]
Password:
Hazmuh59!*
Email To:
[email protected]

Targets

- Target
  
  33ffafc42576d24e6ccb7917a9f5e0f073ca1df9ce70c1a0af48a82bb63f0117
- Size
  
  19KB
- MD5
  
  6a31128c19807fc52a90780dd7016ab3
- SHA1
  
  db8a662e197c954341458a671d7fd19050aa24e4
- SHA256
  
  33ffafc42576d24e6ccb7917a9f5e0f073ca1df9ce70c1a0af48a82bb63f0117
- SHA512
  
  0f6ff235b195671e5d1d0a63cade60f1cc662c7ee6a4f9e6e47c9ca60f01f3479e51a2e4c49635f8d2055edda968e46827833eff857520449147a8b7107dc9a0
- SSDEEP
  
  384:XDNGjDFYTk5CGbvi6zmYXg6EYsYiPKRxw+v2dugB3QUnwK6kNgCo:zNS6TAp9jpsYiStudugBtz6kPo
Score

10^/10

agenttesla purecrypter downloader keylogger loader persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2