agenttesla

General

Target

2e1cc7d91fb1e2458c6689fbac06c0c0_NeikiAnalytics.exe
Size

2.3MB
Sample

240617-bv78gsxhpc
MD5

2e1cc7d91fb1e2458c6689fbac06c0c0
SHA1

813b9eae4aee0db0f14ca433818fd6b27fa7eba8
SHA256

edc08d2cf48260e8451bc47b08087cf666362a161001312477df5c9d0cf29a51
SHA512

c61f3fd6d3c5c543394f12344e8857a4e6e279542e448974a1d615c79bedc9f0192967d5adb4f6a34c0c3b827bde8819bc30c0c21bc3308dc637938488da7bfe
SSDEEP

12288:E4fdIgiPeXovF6rEpPLIW3jqQQ5a6XizzGnHWp+z2vSCa7BdhrtZj8Qtfs:E4fdqmiFhH3jsz+4SFa7rLZgQtk

Score

10^/10

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7446048205:AAH63tMdZbDRgkmzEm6-HCOpd5eAOzt7ZAQ/

Targets

- Target
  
  2e1cc7d91fb1e2458c6689fbac06c0c0_NeikiAnalytics.exe
- Size
  
  2.3MB
- MD5
  
  2e1cc7d91fb1e2458c6689fbac06c0c0
- SHA1
  
  813b9eae4aee0db0f14ca433818fd6b27fa7eba8
- SHA256
  
  edc08d2cf48260e8451bc47b08087cf666362a161001312477df5c9d0cf29a51
- SHA512
  
  c61f3fd6d3c5c543394f12344e8857a4e6e279542e448974a1d615c79bedc9f0192967d5adb4f6a34c0c3b827bde8819bc30c0c21bc3308dc637938488da7bfe
- SSDEEP
  
  12288:E4fdIgiPeXovF6rEpPLIW3jqQQ5a6XizzGnHWp+z2vSCa7BdhrtZj8Qtfs:E4fdqmiFhH3jsz+4SFa7rLZgQtk
Score

10^/10

agenttesla evasion execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2