agenttesla

General

Target

ce4d27f8271459cba8e5ee47c218a18ea818b38de6c42635decaed6c10e1c41d
Size

2.5MB
Sample

240624-bh26pswbmj
MD5

de9b7b1f668a33d19d8058706ba6c16e
SHA1

6f8d6b460e3cc74ecc97bf8eb73490c3498ff778
SHA256

ce4d27f8271459cba8e5ee47c218a18ea818b38de6c42635decaed6c10e1c41d
SHA512

5fc9d9d48aa29da2d0df0201dfe945a7f5354e00cf47204077c9b83da34ee1afb1b28ebcc73ddfc2823e76975a9844f5feeb334a56c5dec1d1d6d8eca3229427
SSDEEP

12288:vt0KKLaVTXQFIsx2Aa+jjtRgvWNcE3wiDeR01S5XxWfMb0:F0KKLaVTAFI42AbjLzN13wik2+0

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.oserfech.eu
Port:
587
Username:
[email protected]
Password:
Epicoffice@2024
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.oserfech.eu
Port:
587
Username:
[email protected]
Password:
Epicoffice@2024

Targets

- Target
  
  ce4d27f8271459cba8e5ee47c218a18ea818b38de6c42635decaed6c10e1c41d
- Size
  
  2.5MB
- MD5
  
  de9b7b1f668a33d19d8058706ba6c16e
- SHA1
  
  6f8d6b460e3cc74ecc97bf8eb73490c3498ff778
- SHA256
  
  ce4d27f8271459cba8e5ee47c218a18ea818b38de6c42635decaed6c10e1c41d
- SHA512
  
  5fc9d9d48aa29da2d0df0201dfe945a7f5354e00cf47204077c9b83da34ee1afb1b28ebcc73ddfc2823e76975a9844f5feeb334a56c5dec1d1d6d8eca3229427
- SSDEEP
  
  12288:vt0KKLaVTXQFIsx2Aa+jjtRgvWNcE3wiDeR01S5XxWfMb0:F0KKLaVTAFI42AbjLzN13wik2+0
Score

10^/10

agenttesla evasion execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2