agenttesla

General

Target

c7f128e3de6462cb93082b6479ffdbad0ff276eed80e84b0f5330b94f14ac386
Size

893KB
Sample

240707-hcg2xawcqk
MD5

3ec3ed1413a4d19d2a82b40e2766dfc2
SHA1

a9aae95dba80a0034de8df3983e122fd291bf72b
SHA256

c7f128e3de6462cb93082b6479ffdbad0ff276eed80e84b0f5330b94f14ac386
SHA512

cb8c63573302d9bb73388078b77f26c4c1166288164703fcd190b043cdbd9601fdd68cefa98cfaab822c2a7fd075f634bc3aa84bd7d19e676e8b3cf75fccc8b5
SSDEEP

24576://N9kYYnejUNi7hHDrmT5SII/XTArsSja5P3ZD/r:HNSYepAFDuI/kzjsPZn

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.commtechtrading.com
Port:
587
Username:
[email protected]
Password:
;elP@ho2Np 7[
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.commtechtrading.com
Port:
587
Username:
[email protected]
Password:
;elP@ho2Np 7[

Targets

- Target
  
  POs, PSB-17398902, 84789.exe
- Size
  
  937KB
- MD5
  
  86217c9fdf19f28c88b78a4d842d192f
- SHA1
  
  2dd6eeb7c33dca2fe13b8a830c9040c606f4efa3
- SHA256
  
  50f213324308d7628f1708c4cb7c6242bb15ed45f1828f459703bfd692d007a0
- SHA512
  
  4477d57b98cd678b98f54fa74b1aeb50d9032003e8657447f8da38e1439a77e5d9b228811095e16faf514f49326bc5112adb426aba250bc179cb852332e97a0f
- SSDEEP
  
  24576:lzZfT5AGQACmtFUDAUjLQPj1aZeHMIqRZ1DM:ltfqGZCmtFUDAUjmaQ4/1g
Score

10^/10

agenttesla execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2