agenttesla

General

Target

960db67081f8b25865698988f9758d0c80a7601c8326902eb52d1fe8ae6b9f0e
Size

1.0MB
Sample

240720-bfm9rszakn
MD5

9decd029a7800230daaae693cd48c6af
SHA1

6b5133eed57881bbfaef4f18dece5299b8879d5e
SHA256

960db67081f8b25865698988f9758d0c80a7601c8326902eb52d1fe8ae6b9f0e
SHA512

f229700238de5b0b4c7da31d60f4bdd5ce2b4d8a60ca3f5fb15ca6f7f46f9daddd2218b9660ee30e4a1cf1126194dddd2996831e0afacfa3c9cbd71c32f733dd
SSDEEP

24576:CcatvGcxvi4KVNYIejOQJBZc80oOv0MapS3awJLGgvZV:ctrxvi44g3x0ouapSr5zRV

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
manlikeyou88
Email To:
[email protected]

Extracted

Family

redline

Botnet

bigpay

C2

204.10.160.140:7001

Targets

- Target
  
  224cb722a3b940c564dd0f4e6347776a6ebd2ce4d1ce898cc16769a8ec079b1a.exe
- Size
  
  140KB
- MD5
  
  1baba2d74f12915a3b89ecb883315008
- SHA1
  
  c45b81ab4753eafe6d5f0e0ce9623c79e888a8df
- SHA256
  
  224cb722a3b940c564dd0f4e6347776a6ebd2ce4d1ce898cc16769a8ec079b1a
- SHA512
  
  7a4597bb7c8c058c0171cde6c341e74fab5754b1b0054117b3cdd016837cc37ea4609de36638eadf1bc52bbf64fdce2cde6302898bff4546729721e3ce311277
- SSDEEP
  
  3072:B2rwPGZSiq413j9DE0CA6DWkJZz8qjOYRwRcTvRB8Z4PHjnCp:c5ZSsQ0RAXkYRLnCp
Score

1^/10
behavioral1 behavioral2
- Target
  
  purchase order - PO-011024-201.exe
- Size
  
  975KB
- MD5
  
  fb5123fc6707fe4e06c962b5aa7d8f1d
- SHA1
  
  a06b21030a4dcd1b9e987c13742be49540c5ee46
- SHA256
  
  7306a090c8afd7557dc6a32f072937107058f5d14b5d416730b189647980b757
- SHA512
  
  a7261913938b0acf68b74a7ab54ada022f27e33ecdd5c07d6cdb7d939ab2ee0dbfafa6548fc022f2e08e796200df7fbce49a913bad1182d1772cc5d3a3235c5a
- SSDEEP
  
  24576:+2BL9SiKt1yowjwQ9Bj+20sOZgSGnS3ewqm:+2BL9SiA81N0seGnS3q
Score

10^/10

agenttesla redline bigpay discovery execution infostealer keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral3 behavioral4