agenttesla

Sharing

General

Target

c7b130f5b5a0c5d2fa4d202143d40393eccd2bcf563c7496a51ee267dd50bc16
Size

14.2MB
Sample

240619-nm16estfqm
MD5

e781d2a042806e5d4572e565f15580ec
SHA1

204ad21a1ed35f40299e1f2c2843ad33926756b3
SHA256

c7b130f5b5a0c5d2fa4d202143d40393eccd2bcf563c7496a51ee267dd50bc16
SHA512

580828b5176874ee6fbdd350279bbac8c87200e77aefc895bbad314010a5e0addf2a38eee6be15c100ef41da07307f5c1b55e1d0307a614e3855d783cff1f652
SSDEEP

196608:ij7joqoFArqGAH3fafp2wpqGDksEHHJvUNbstiTrf6WFoOxPVxSIEQm6yvUQRsm:WEMqGi+ptpqGoqxTrfLFoOPGIEQj5Q+m

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp8nl.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
@qwerty90123
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.flynasgsapakistan.com
Port:
587
Username:
[email protected]
Password:
#@Pakistan786

Extracted

Credentials

Protocol: smtp
Host:
mail.groupmt.vn
Port:
587
Username:
[email protected]
Password:
4j37SF2n8e

Extracted

Family

socks5systemz

bmbusei.com

http://bmbusei.com/search/?q=67e28dd83955a42b4006aa1b7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ee8889b5e4fa9281ae978f671ea771795af8e05c645db22f31df92d8b38e316a667d307eca743ec4c2b07b52966923a6f89f617c7e891

http://bmbusei.com/search/?q=67e28dd83955a42b4006aa1b7c27d78406abdd88be4b12eab517aa5c96bd86ea97864c96148ab2865b77f80ebad9c60f7cb63037ed2ab423a4334383ba915d911ec07bb606a0708720fa11b861c353baf51aba1e7242fa7023cc366689fe19c7e6939d3cc9

erqrieg.ua

http://erqrieg.ua/search/?q=67e28dd83e0bfb2e455aa5187c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ae8889b5e4fa9281ae978f171ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ff716c9e9929d32

Targets

- Target
  
  0d406f17fa6d208a7c58e0907883c1a626ea38f4db206621fd241f8d62f8277d.exe
- Size
  
  1.1MB
- MD5
  
  8db44235db95d6663db8d45f9eb27872
- SHA1
  
  7d8ae5d745421418e161837a1c7d219dd9519b07
- SHA256
  
  0d406f17fa6d208a7c58e0907883c1a626ea38f4db206621fd241f8d62f8277d
- SHA512
  
  28570f328bba4f5d357b64eb1ade4c709ce7c02f2635b1721561992fa9913d5de3cb046e910f5f8b836d0491542f6394ff23d57ef3cef2150b95584e7f78baa5
- SSDEEP
  
  24576:wAHnh+eWsN3skA4RV1Hom2KXMmHahyu4BAiCw83CkI/U5:nh+ZkldoPK8YahyHBAG2Ii
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  13966994581adf90c88d36fff75eb33c4a79557cf55fd616124a8c77f883e983.elf
- Size
  
  69KB
- MD5
  
  ab6223b2d2691dd382f7e130d594db5e
- SHA1
  
  684f533882356f6d790d136d936312ca67d87102
- SHA256
  
  13966994581adf90c88d36fff75eb33c4a79557cf55fd616124a8c77f883e983
- SHA512
  
  5b0e8676a228d5218a695fe921f1662d49a06c45d39a0442a293486e2e2656eb464fc7483579e2463c67921648946b3193dece73317b96fe90cf77f7256d3fdf
- SSDEEP
  
  1536:7S4uXkbR4LhqpvbzwM1FhLFxoruIEEf0eWDeESdW1/v5jVv8LCkgzlt:G4uUbRahqpDzR1IviSEKSjyLPgzlt
Score

1^/10
behavioral3
- Target
  
  18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076.exe
- Size
  
  4.7MB
- MD5
  
  d30043dfaa42f25de126e50c5e9ed047
- SHA1
  
  c80d749438fe7d51b92c6fa6b3274681347419a5
- SHA256
  
  18753a0cb65d2b75bd60b82de5ac799c5bc39eab29014c5a57fc04685da72076
- SHA512
  
  70a454e8dfa2ee462f4983c89a726ec8bf1d77a97546cc3f48392c6a31e7588cccab7eb591630443b12e5feb351a79cc682edc81e9ac481b530f426383bf11c1
- SSDEEP
  
  98304:mhV9nxxynoPMx+Us2wdqATwnwxZNjPp/nMe53rCkUmFail6IGx:FozdUnkbPp/bUm7l6P
Score

10^/10

socks5systemz botnet discovery
- Detect Socks5Systemz Payload
- Socks5Systemz
  Socks5Systemz is a botnet written in C++.
  botnet socks5systemz
- Executes dropped EXE
- Loads dropped DLL
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral4 behavioral5
- Target
  
  30a973e75f85a9ee9063fc4b17e5c6704f2e58ebfef7abe3e1d55c16f51b2e89.xls
- Size
  
  444KB
- MD5
  
  5ebb34059d8db5ce7d343e997b2ce827
- SHA1
  
  ad87ea5eca71c29e3a18d3f72e84d87fda7a0ea8
- SHA256
  
  30a973e75f85a9ee9063fc4b17e5c6704f2e58ebfef7abe3e1d55c16f51b2e89
- SHA512
  
  8134dfa14bd8626a68018acfe283dd1728d8f96a537063c8904b064c349c4694ddf0142ecbba003de260b29f959431aa30624783d7443eef069d1543ef643cdf
- SSDEEP
  
  12288:Z6NCLIEbCfgQjpozwjTziqoxAVKHUSGL+sPjf:Z6NCUaCfgQKW3iqRVK1GL3P
Score

1^/10
behavioral6 behavioral7
- Target
  
  3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb.exe
- Size
  
  1.1MB
- MD5
  
  ec066ae04c36cf907aafa4448b614467
- SHA1
  
  b53d01c464f61e4654286e8650bb171be14902cf
- SHA256
  
  3214e308dc291ff3e86eefd6f1e36883e9ebe60aa92e8b3f55a0f7ae730790fb
- SHA512
  
  b30f55db38a1c4297c50d3d7e87748ee7f5d203a002d58a61d5770394bc39a7c1b46b50fa094282eb21330830ea7fa523e3eb5c0ac7f1229ded244c8a3e4529f
- SSDEEP
  
  24576:gqDEvCTbMWu7rQYlBQcBiT6rprG8ap3H+1PNrT:gTvC/MTQYxsWR7aZe1PNr
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral8 behavioral9
- Target
  
  361cd32a750b89857322f54b665f7f8849407ba09074e6303be0f26a351f39b5.elf
- Size
  
  71KB
- MD5
  
  e010ef511bf5539ee6b966df738ae6af
- SHA1
  
  0e8139a0dbf8ac40b9fe803d24d7dfa30b44ca23
- SHA256
  
  361cd32a750b89857322f54b665f7f8849407ba09074e6303be0f26a351f39b5
- SHA512
  
  29faacf2c96d0d619060ff6f83e1259ae674747607c23ebcfb98168ebf713d6efa750dcab962dfe9f09c1e5c871c62a61ac889198d7475cdb90e7f2cc089852c
- SSDEEP
  
  1536:tYr4t+G4eCfOJ1zuxiFkmlUmsOAnP8fF5wArRnBUqTAlgcVzd:6r4t+veJLlUp8nrrdBhTAzd
Score

9^/10

discovery
- Contacts a large (93536) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral10
- Target
  
  60be4a7179ddc4d9f12fba876443b3d782508b26fd3a93f89c4d128396abcb3e.elf
- Size
  
  63KB
- MD5
  
  ffbe7ac1d066ab472b50a629acc54db8
- SHA1
  
  308c96dd98b9a29c6c9d40f47d4ce15a51f297c0
- SHA256
  
  60be4a7179ddc4d9f12fba876443b3d782508b26fd3a93f89c4d128396abcb3e
- SHA512
  
  8b662eb5ac2f64484d9fec041f2e059f4279e09f9afda885ccaffa1b40c9a3385bfeeff420946cbc67fcba6bc6fb860e6b31068d716d0e9d914fd5069b9377d0
- SSDEEP
  
  1536:ln78RE31VoraFEr5ynXIKc1pKwDnPpMBx4KtSd0lE5DMF4bAHVt1:h7ZUraaMY8qpc8doE5Dpb2t1
Score

9^/10

discovery
- Contacts a large (96609) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral11
- Target
  
  6559c8149044fde6c8d7ba12ef151a181a3635d0e5ea673cdbb65aaea3d4156c.exe
- Size
  
  752KB
- MD5
  
  3937778f753e03486df93926ef8815fd
- SHA1
  
  9817a28a52d59e2a8a2de93bfe6de7c87ff4ef97
- SHA256
  
  6559c8149044fde6c8d7ba12ef151a181a3635d0e5ea673cdbb65aaea3d4156c
- SHA512
  
  a40446cc7e2b6a29ce6fba0d5d308752e1b8b33f80ba765121c5ede17fd442124ebe37215870ee3f77ed11ee424861104ec174701236b7735b34a2b1bea571dd
- SSDEEP
  
  12288:vSfWWu6/AxouWA97H0c0812h4h6OpGrN1p5apVs3Y8LOj59NwtNj6Z8l5x1FOic+:v0u6/8vD97Hh081Y4hkrNGVczLOFHwtH
Score

10^/10

agenttesla execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral12 behavioral13
- Target
  
  6845e34952a416113dbc6fbffae8245d708c9bab6dc801c16f34a84744a3b7cc.elf
- Size
  
  61KB
- MD5
  
  ba28069faf2b9dbb4345c5db40ede71f
- SHA1
  
  9e48423e3893dc5c000b8b99ec3cd6e03377913b
- SHA256
  
  6845e34952a416113dbc6fbffae8245d708c9bab6dc801c16f34a84744a3b7cc
- SHA512
  
  c749046b98fe666515c65d1f1b76a3beae0ab5498b15e694cfdbd70c57c98ce5714720460bd10f621360327193795829b8478ad08632f88d47b5b40ea4d6ee96
- SSDEEP
  
  1536:mWFZrbi9iXq+SlHplLEs7Lgs6oK+o6qL2tY:DT3l6lflLEs7hxKEe2tY
Score

9^/10

discovery
- Contacts a large (91463) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral14
- Target
  
  6fdf5b4b08a5894339c26249e190ce627b9585af846573098bed2c050d0ae80b.elf
- Size
  
  71KB
- MD5
  
  c2ffbcbd2cd0b5c07cb931e8688efadc
- SHA1
  
  5bfab037c71b59ec823b964e1f55f9d4c0e20c82
- SHA256
  
  6fdf5b4b08a5894339c26249e190ce627b9585af846573098bed2c050d0ae80b
- SHA512
  
  6779bb9fc003cff73e298eaa3fcda0f708eae7f5812f5675d6543ea8cd42b6a6e264001dbff3ff6268499cd8bf0e1d70355e332991807e3663bf6c0d0e152fc8
- SSDEEP
  
  1536:6t/jWKofymYw5aKcnRSChp7NL5DuvGb+V/XdEc25LPdjrh3yU:6t/jWVYw5+nnp7NN+5dEciLdwU
Score

1^/10
behavioral15
- Target
  
  744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee.exe
- Size
  
  1.1MB
- MD5
  
  c3aab19dbe262ae7ed490d26cb0229c0
- SHA1
  
  1bab4486204fd1d21aa7babd17181d8f5b4add19
- SHA256
  
  744daca400af1f5721eaa529ec3fe427e4837e17ff4766f6bb39643aa488bfee
- SHA512
  
  f858e3ffed40cbb24067c95f057f5a120a14f6bf4866e83c7d0afd2e60e558457a819390e8b46ac44e196e61692ef618a0f1877af355d59ddb9de5d1a1e2793b
- SSDEEP
  
  24576:SAHnh+eWsN3skA4RV1Hom2KXMmHa9ThmRY5Ll89RZSoV5dzWaqF5:Vh+ZkldoPK8Ya9ThmRS89RrV5Ml
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral16 behavioral17
- Target
  
  7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791.exe
- Size
  
  1.1MB
- MD5
  
  153458c4d28fe80dbc951898df7348a0
- SHA1
  
  11bd2534f5e073d7de5560193ad582ebf1fbf19a
- SHA256
  
  7dc25c4e1ebd89f13aa8ecc4fb141a9bf297851781c82d7cb630ce1802e52791
- SHA512
  
  7ee79443e9fc623c98b30ab396169eaffb06aa046bc373889cf3de6279a1aea432489c98a764e340c72e27cf782668601807d8541343ae54b8d1bc0241f01318
- SSDEEP
  
  24576:zAHnh+eWsN3skA4RV1Hom2KXMmHas4Y4uqBp9fcOpbQ5:+h+ZkldoPK8Yas4nuqDDpK
Score

10^/10

agenttesla keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral18 behavioral19
- Target
  
  819e3765d5c40a66951c194f67cdb783e1a711cc3499dd44a43d1cfdec06af4d.elf
- Size
  
  41KB
- MD5
  
  6aec8134adf6a15aa80c393af04bab49
- SHA1
  
  81d7e8a5f53e4f3d780219ee47eb85de54c404cc
- SHA256
  
  819e3765d5c40a66951c194f67cdb783e1a711cc3499dd44a43d1cfdec06af4d
- SHA512
  
  7f45c3dd9a560f05df510ec03c988940a09fe897738335031d30ff1e7d02341a1d1df479b348fb4bc1605a7b63c2e22db383e3375a876f336c153432d89b27b4
- SSDEEP
  
  768:mvOd4URhNIM6/UGvXv6YSXwwV8uBnuksCENr94NF/Qm1xgsn6EfAzZqQHZQY7:mGd4IPIdUwXywweWnuksCWrkOEiZdQg
Score

9^/10

discovery
- Contacts a large (103081) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
behavioral20
- Target
  
  835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73.exe
- Size
  
  855KB
- MD5
  
  93e1256e37cac4fa162ea90eeb7c72b1
- SHA1
  
  e0118027062bef44053998f74162d4e125cc2d61
- SHA256
  
  835e27dcd567204d905fb88c8a7d9e086349f8fd626721e5364041c15a332f73
- SHA512
  
  a34143ad4aa2d09ee08d458c3a22cd9b005dcb20724ea34a00e7ac5ec46d3840cf191a5bb05fad52a50833029bb941c0852b7863475c1e9b92dcc605dccb75ce
- SSDEEP
  
  12288:755MHyv+3UDgck8JvirnUdnUwNwtK+CVINPX9yKBg7vjKP:15MHGhS8J3B/moit9yKe/K
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
behavioral21 behavioral22
- Target
  
  8ed5281c024dc7cf99273c32faa92e358392272a01898958399e324e666c4fd4.elf
- Size
  
  59KB
- MD5
  
  0318047cf2a8c026fbbe1fad5487dc58
- SHA1
  
  b2572295881ea60c7996ba742264472e9d059073
- SHA256
  
  8ed5281c024dc7cf99273c32faa92e358392272a01898958399e324e666c4fd4
- SHA512
  
  7e69b4a4563d1427af29e0d809576c087ff557b0bc237c7f3f1ec516088806cd2b85cd0839a0d7ae2032b4d381b33c84e0bb7a330178d761cd07acf828dddb92
- SSDEEP
  
  768:eKCfoqozoBe37GUqCp5OYnmDKI+2okL2J7nBvshKQ3BkahS8+HrZHiSXff3:e1Ns37GlCpYYnmbL2KBxhWrZC6H3
Score

1^/10
behavioral23
- Target
  
  8fd73ae7fb9da6bf5d793b56d1cd12a0f2cd342236cca599fb92ecdc1ea700da.exe
- Size
  
  855KB
- MD5
  
  ee2b547c344606df4e8b4fc1114274c4
- SHA1
  
  dff9650c7ec6e71612c4e7af46cf4cafef69b2c1
- SHA256
  
  8fd73ae7fb9da6bf5d793b56d1cd12a0f2cd342236cca599fb92ecdc1ea700da
- SHA512
  
  2a69297894eeaafa4e259cfc06cc5ea149323255d0c466dc08dc8d792c9a8b3022a17e94b125b7a140c41dea93a23dea8702db2b5ccf2a00d0226181eac470b1
- SSDEEP
  
  24576:Ng61jjk0LAta9AYZDIKkK2+W5LVrfagz:dFkh37am
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral24 behavioral25
- Target
  
  add0cec032cff1069925f00734c1296bd4e305c4e07006b3b0fa3b9497d8e626.exe
- Size
  
  1.1MB
- MD5
  
  d70c602a2e3471f1676b939409d7172f
- SHA1
  
  ce8fc0b594b46a049df4e64569bc030931504b6f
- SHA256
  
  add0cec032cff1069925f00734c1296bd4e305c4e07006b3b0fa3b9497d8e626
- SHA512
  
  a718cc3cf60c7c9f5893e34da62daf0266855c8938cc55cc1108f2ccc881f56a293f35160ded8d4205ca7972e891e0b3406889ec9bbbd989ba3674ca11f3e966
- SSDEEP
  
  24576:wAHnh+eWsN3skA4RV1Hom2KXMmHamatMiaQQeR28/OF5:nh+ZkldoPK8YamhiaQQU28/M
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Suspicious use of SetThreadContext
behavioral26 behavioral27
- Target
  
  ae7dfe0fe3ea9ba1dae5221072a51896c9b6c8384eb6514fb9dacbf9d6c7fca6.exe
- Size
  
  1.2MB
- MD5
  
  a2a2e7e02d9543edcde82440d81595b1
- SHA1
  
  2f7bc3c847c661606a1ef80456ed085f5bf50e46
- SHA256
  
  ae7dfe0fe3ea9ba1dae5221072a51896c9b6c8384eb6514fb9dacbf9d6c7fca6
- SHA512
  
  7d769716bf0bda0f110e65f589d98170933f253a97ad52e7d3fdccd7899569e3c4ae0056a8b15abe22d1bc1856871326ea0a4a8590566dcecd587b59509c9161
- SSDEEP
  
  24576:nAHnh+eWsN3skA4RV1Hom2KXMmHaFIhIDtRyBBNuTEnJBT7tRsxSs30AZ5:ah+ZkldoPK8YaFIhIDtYBNpnHnn23t
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral28 behavioral29
- Target
  
  b2183760768b6dffb3c3f4c28510c6e32cae125d46f5d4e046bbdfd860d46b26.exe
- Size
  
  755KB
- MD5
  
  69eb8a758814ce93b09578f47aba4c19
- SHA1
  
  66850a40b2b77f8f89f8882a5f8aecc87110945e
- SHA256
  
  b2183760768b6dffb3c3f4c28510c6e32cae125d46f5d4e046bbdfd860d46b26
- SHA512
  
  df1d61ea9f993b311949e7cef7137c52fe367c75fe6bfa1a6c524376c5894f3c8f94b687814a769a44e83e626556bcf4b8b12f5d72b7924e220012d332eaaeae
- SSDEEP
  
  12288:4bKDA7hW9s72Rw4iJQPxUCbwlM5cd39KKcZuoni5Y2rKDEbnv77PACR5leZlN2b:4bPWO7D4iJq0lM5EQzjngLHDDA+erob
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral30 behavioral31
- Target
  
  c7305e86e90093f34bae25efd97eb5a8fed3a6b985b1633ee99ffff608211838.exe
- Size
  
  744KB
- MD5
  
  fadf1562d3b36bc5cea91582a52a9694
- SHA1
  
  307acfdda6ed2cb89dbd1ca91b95dab338566fae
- SHA256
  
  c7305e86e90093f34bae25efd97eb5a8fed3a6b985b1633ee99ffff608211838
- SHA512
  
  30ea3939a54c270a76cd5eef48432c03dd7a3a82c264b78a3897582c6b140a35f015412b636487afdd49f92c4049cadf4f57e820bda49dc71ba3ef7ecfa1be17
- SSDEEP
  
  12288:XaCR5leZlNqjm/3ctwHBAEZkilJUnkcmRvg9JkSQi0H33VuwKWcQv:q+ersntwhAECjkNSJPW33VTKWcQ
Score

8^/10

execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Suspicious use of SetThreadContext
behavioral32

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Network Service Discovery

T1046

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Suspicious use of SetThreadContext

Detect Socks5Systemz Payload

Socks5Systemz

Executes dropped EXE

Loads dropped DLL

Unexpected DNS network traffic destination

Checks installed software on the system

AgentTesla

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

Contacts a large (93536) amount of remote hosts

Creates a large amount of network flows

Unexpected DNS network traffic destination

Contacts a large (96609) amount of remote hosts

Creates a large amount of network flows

Unexpected DNS network traffic destination

AgentTesla

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Contacts a large (91463) amount of remote hosts

Creates a large amount of network flows

Unexpected DNS network traffic destination

AgentTesla

Looks up external IP address via web service

Suspicious use of SetThreadContext

AgentTesla

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

Contacts a large (103081) amount of remote hosts

Creates a large amount of network flows

Unexpected DNS network traffic destination

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

AgentTesla

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

AgentTesla

Suspicious use of SetThreadContext

AgentTesla

Looks up external IP address via web service

Suspicious use of SetThreadContext

AgentTesla

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

Command and Scripting Interpreter: PowerShell

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Tasks