agenttesla

General

Target

55273bb86eda9a403c0d0e7c2164694e57f5d73e5a3ba64b11f6892d3939edd2
Size

756KB
Sample

240712-brbecavfkg
MD5

cfe2fb1f0577846b88f709d0fedeee37
SHA1

a23f34fe198fd27d707ef5a61e5765c66d0feb51
SHA256

55273bb86eda9a403c0d0e7c2164694e57f5d73e5a3ba64b11f6892d3939edd2
SHA512

f4f4abf95350403b72583aeb9404defacc3c6fccadd6149b851b68836ec0826ed0811bbb1c6d403bb6b6109cb0a229d4c0af068b73ca47d3992e80251b1fba5b
SSDEEP

12288:6dRgYVK+orv4MZ0xaZsT/JLxlwd5b6FJwvIlNLLp8xInIUbutMZJbpS:6Lg1+RsydxleIPVjLpOcIUbuoJF

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://backup.smartape.ru
Port:
21
Username:
user889214
Password:
RjYKRIRkfluo

Extracted

Credentials

Protocol: ftp
Host:
backup.smartape.ru
Port:
21
Username:
user889214
Password:
RjYKRIRkfluo

Targets

- Target
  
  55273bb86eda9a403c0d0e7c2164694e57f5d73e5a3ba64b11f6892d3939edd2
- Size
  
  756KB
- MD5
  
  cfe2fb1f0577846b88f709d0fedeee37
- SHA1
  
  a23f34fe198fd27d707ef5a61e5765c66d0feb51
- SHA256
  
  55273bb86eda9a403c0d0e7c2164694e57f5d73e5a3ba64b11f6892d3939edd2
- SHA512
  
  f4f4abf95350403b72583aeb9404defacc3c6fccadd6149b851b68836ec0826ed0811bbb1c6d403bb6b6109cb0a229d4c0af068b73ca47d3992e80251b1fba5b
- SSDEEP
  
  12288:6dRgYVK+orv4MZ0xaZsT/JLxlwd5b6FJwvIlNLLp8xInIUbutMZJbpS:6Lg1+RsydxleIPVjLpOcIUbuoJF
Score

10^/10

agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

2

T1552.001

Credentials in Registry

1

T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2