agenttesla | c31957e7f7c20119847fc9fc963ff30b67082f0cbb4389d89be6e19762111a83 | Triage

Sharing

General

Target

Order 0003994887588960600000.bat.exe
Size

366KB
Sample

240704-p8nb5axbrl
MD5

d59caca462dcc8483ca9029f11be6d8a
SHA1

1515edade6814e5bb2642d63d7dd87fcc6f67bf7
SHA256

c31957e7f7c20119847fc9fc963ff30b67082f0cbb4389d89be6e19762111a83
SHA512

4d9dcbaa14fed9ec39878aa8724db501138ab7b13277bbd0da1c321ae1f1107c2b5a8b5004c08077abcfcd8041670841f31bbd38d1f9220a8b86ce5231ebfb27
SSDEEP

6144:hHadpdwMakhnB4kzYTp9NgyZ8153vtty4oR3p1QTTk586PwbmJKV:hHadykhip9+ye15vttfy3YTu86PwbmJG

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Targets

- Target
  
  Order 0003994887588960600000.bat.exe
- Size
  
  366KB
- MD5
  
  d59caca462dcc8483ca9029f11be6d8a
- SHA1
  
  1515edade6814e5bb2642d63d7dd87fcc6f67bf7
- SHA256
  
  c31957e7f7c20119847fc9fc963ff30b67082f0cbb4389d89be6e19762111a83
- SHA512
  
  4d9dcbaa14fed9ec39878aa8724db501138ab7b13277bbd0da1c321ae1f1107c2b5a8b5004c08077abcfcd8041670841f31bbd38d1f9220a8b86ce5231ebfb27
- SSDEEP
  
  6144:hHadpdwMakhnB4kzYTp9NgyZ8153vtty4oR3p1QTTk586PwbmJKV:hHadykhip9+ye15vttfy3YTu86PwbmJG
Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  192639861e3dc2dc5c08bb8f8c7260d5
- SHA1
  
  58d30e460609e22fa0098bc27d928b689ef9af78
- SHA256
  
  23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
- SHA512
  
  6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
- SSDEEP
  
  192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
Score

3^/10
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Credentials in Registry

Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

behavioral2

agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

behavioral3

behavioral4