agenttesla

Sharing

Copy URL

Twitter E-mail

General

Target

f51f1f279feb7964a187ecdcd07c6f741d77cbcbb909a28aed96f52fc2d1b9e1.zip
Size

1.2MB
Sample

240727-clkaqstbqg
MD5

4323b9dc93889a0f7c88f10a31149de7
SHA1

31729df81f3cc3412b3ce38542cdb6816e2bf146
SHA256

f51f1f279feb7964a187ecdcd07c6f741d77cbcbb909a28aed96f52fc2d1b9e1
SHA512

a1603a8279b14c39dd3b4fcc06cd712e04cabc4a715d252b755e086b1f3d2e9683c3b62e60d9df9e350424df0408f1e6fa1803bc36a2c8d8bb4276682a1a1c33
SSDEEP

24576:wUShb0Ug8XZdz5hrwoXo96VoroDx3Z1hqWbrc337RLqmOunjWq9js/rIl:bcb0KVRwm86VorKx3Z1kWbY3LvOunj

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
uy,o#mZj8$lY

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
uy,o#mZj8$lY

Targets

- Target
  
  RFQ-SW M-0013091-DHABI HARDWARE.exe
- Size
  
  24KB
- MD5
  
  9f6938e89824ccce04a9272087dec776
- SHA1
  
  7f19bee228698f4b0bb90b40c6ca2bcadc326a66
- SHA256
  
  b500874cd5939223c2b7cb52134bef3a3bf6ab1c1d112bf27c6b5e5b15f8177f
- SHA512
  
  e0052a1bcf5d5ab910da6541c51338e1215a265e8521260bf08ab00ac0320653dafab565ef616d7f1192fb55d4b0feb1666b1a73fcc7b08ae0ac0e625f4b67e1
- SSDEEP
  
  384:eM4cghl1oqCrKFf4H5A2eFP27xWkVbgWUlIx4cNWcG0FP27NBY3Yuv+ivM:WSqbFQH5iKxnVbgvqxNNZK/Y/+
Score

10^/10

agenttesla credential_access discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  extnet.dll
- Size
  
  24KB
- MD5
  
  09933bf55c8ebf5e8cf1feb176481801
- SHA1
  
  c1c20be9a15ecccf6aaa480af2393ca636809f32
- SHA256
  
  0f3c856246dd80f30c849156253a5c29ec3e129e366fdd51d2ca8823a516c3e9
- SHA512
  
  f012f7e803afc67a6b8055ac07632f611be49b11f8f41bd06a24f5cc93ad7edbdbb34c732267b98bcc254382b570cf923e04edadf1482cf01a47e4908fb4c3ca
- SSDEEP
  
  384:sV18LnUTFTr7UqCdCFP27xWkVbgWUlIx4c5WDf/U0FP27NBY3Yuv+XCoN:VjUTuNEKxnVbgvqxN5sK/Y/+XCoN
Score

1^/10
behavioral3 behavioral4
- Target
  
  jli.dll
- Size
  
  1.8MB
- MD5
  
  bcb0241f3d342932863f1812e7e59d7c
- SHA1
  
  b5d6da864148f16cbcfef7ea9afd2c82e7f1e30c
- SHA256
  
  99f65e231e2ce3ff798cc131b123a213faa5fe329154db02611201317c45e091
- SHA512
  
  124cde5670ce7ff3c870cc68aeb3225bfd839114ba3e9b4e10a40f23cafb31478d2a55db152c6e06b3ff740cf7b7115c149dc2796e924cea24bb41563aec15f9
- SSDEEP
  
  24576:3x9Cm6pOSgrbtR/UDI2KNc32ybHAaD835rkbqO1UkTrclCPIdkgVmdnALoBhkw2:3x9Cm6ASgrbtFUDXTA7gMMPIxYyLgGr
Score

10^/10

agenttesla credential_access discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  msvcpcore.dll
- Size
  
  244KB
- MD5
  
  840783b067071df45f8562218277ed91
- SHA1
  
  845763f4923bc3e7f3a195f60ca54757626eb114
- SHA256
  
  97111473c6ada4542a52cf980d3c97bcc8ba5907d7a219f3fab7478cf2ea1aea
- SHA512
  
  ad80b794b1067113e6d602226a3902fd19dbbd46a9ac60f583c6502b8be9a628a639ee2c465f28aa7731bc549d6f1186d40379843be8621301c3d2f5a0e53f2f
- SSDEEP
  
  6144:rH2kUt9qWrmywGtXklfR3C7m779Ezm+CEOzECvCZ721:rW/9qnywGcZ3xM+3CZY
Score

1^/10
behavioral7 behavioral8
- Target
  
  prefs.dll
- Size
  
  26KB
- MD5
  
  9b6280e64b6d89b03b67db84b54aaa93
- SHA1
  
  5fdd63567326fc0f507b3dac86ec4297fde166d0
- SHA256
  
  8897b9d5734146ecc34cf7ab7d5dbbc3798db54da731b324d1b41c2bdb0efe64
- SHA512
  
  b6b6eba5da72a5561cb6c19abdcabe4e364c7d293db3ad5672532a058e83abe94a7fc2c8ab352812079057c7403aa3580df08a141144ac4625ed8c26d18cc1a7
- SSDEEP
  
  768:e3sZ6lhi5opYD75YpKxnVbgvqxNdliK/Y/+8U:Uk0s5SYD76pKxnKvKNdliK/WU
Score

1^/10
behavioral10 behavioral9
- Target
  
  vcruntime140.dll
- Size
  
  107KB
- MD5
  
  146eb6b29080a212b646289808ae0818
- SHA1
  
  e5d9801f226ecd3af662df225f751ae8a8934357
- SHA256
  
  f66c606d2ee6bbca375ab4268b0c6aef5170a4ca580a00e17a56057a7a127743
- SHA512
  
  0824b42ca2539709f77134ffea9c10fc9f4c126b6a309bd5d3ddd02a660ef98d63b178219d83b173340798c479a1008c2d4f57830898673043fee2450a210a58
- SSDEEP
  
  3072:y67mylIhkoQpdK9H9YOecbKV02pKuKLK/M:7iylZoQwH93ecbKCR72/M
Score

1^/10
behavioral11 behavioral12
- Target
  
  vcruntime140_1.dll
- Size
  
  49KB
- MD5
  
  c106bef63b8db2f32de277b0c314249f
- SHA1
  
  b172b5809f95bd4f4181fe30c30368b50a27f08a
- SHA256
  
  dced523e24b4374522c86f7bbfc0ac8d8e1078336492629722081339adaad9ba
- SHA512
  
  77aab947ffec187f054c68899f2b4186a53b2901fb74ee6702586c1207a4abea238c64da0aa3ebe56695c31606b315f9a6289ca1748e9770fcfca5816e7e6580
- SSDEEP
  
  768:+Cm5yhUcwrHY/ntTxT6ovF7IVwwIl9znKxnVbgvqxNJUoK/Y/+b:lOHc16opIVwwI3znKxnKvKNJUoK/x
Score

1^/10
behavioral13 behavioral14
- Target
  
  winsxspv.dll
- Size
  
  288B
- MD5
  
  34a77ab02e849e3a5fca69b22dc5b4b8
- SHA1
  
  944ea6c33d3ce4ea272a7cb19dedb74175a97897
- SHA256
  
  f99553cee956e85d200d6b9872d6c52c0143be489dbd0998dff4d60122641719
- SHA512
  
  a125725bb1966fbd0e256a1fd0a05a39ec63b14d6e10b2a4897d83b8f89f36f1fb1fb1c6a0c0bd100ef82dada8ab3db98ef0e75d54d918f245918d78b007bcfd
Score

1^/10
behavioral15 behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Credentials from Password Stores: Credentials from Web Browsers

Reads WinSCP keys stored on the system

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

AgentTesla

Credentials from Password Stores: Credentials from Web Browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16