agenttesla

General

Target

471e1552c28823dc7f3fe17abde8666e573db5d41b030aa3c46acb92f0aa7512
Size

11KB
Sample

240617-bdmv8a1crm
MD5

34e104205244cdd76c3420d734066b02
SHA1

8a3e1a2736de563e2f32abe631db0be24e992b16
SHA256

471e1552c28823dc7f3fe17abde8666e573db5d41b030aa3c46acb92f0aa7512
SHA512

f5f37381493da8adb036290927067aefb939544fc52de13c1f116c97b76a139fde07cfa5ed123a4af9a12994abfccd88e9219b6f7b4dc2c021a9fc15bc9c70b0
SSDEEP

96:Yf3HO3KJey0wOmtFHBRl4gYxuT40VYglYdCVzUg4pZOnENiUgzNt:u3OXrenRT40VuwVgg4pZ/N9i

Score

10^/10

Malware Config

Extracted

Family

purecrypter

C2

https://www.vascocorretora.com.br/PPI/Xarooah.vdf

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/

Targets

- Target
  
  471e1552c28823dc7f3fe17abde8666e573db5d41b030aa3c46acb92f0aa7512
- Size
  
  11KB
- MD5
  
  34e104205244cdd76c3420d734066b02
- SHA1
  
  8a3e1a2736de563e2f32abe631db0be24e992b16
- SHA256
  
  471e1552c28823dc7f3fe17abde8666e573db5d41b030aa3c46acb92f0aa7512
- SHA512
  
  f5f37381493da8adb036290927067aefb939544fc52de13c1f116c97b76a139fde07cfa5ed123a4af9a12994abfccd88e9219b6f7b4dc2c021a9fc15bc9c70b0
- SSDEEP
  
  96:Yf3HO3KJey0wOmtFHBRl4gYxuT40VYglYdCVzUg4pZOnENiUgzNt:u3OXrenRT40VuwVgg4pZ/N9i
Score

10^/10

purecrypter downloader loader agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- PureCrypter
  PureCrypter is a .NET malware loader first seen in early 2021.
  loader downloader purecrypter
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

PureCrypter

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2