agenttesla

General

Target

aca77380e2b7063a61ec7e3b8d51555b_JaffaCakes118
Size

532KB
Sample

240819-1bmvwa1akp
MD5

aca77380e2b7063a61ec7e3b8d51555b
SHA1

5b52882f4c6887e6daaf7b8b0a69751cc9d246f1
SHA256

3be1a1943a0970664685bd6e6211b188cd55d494b536266cc12a9796776b3c51
SHA512

f47ce230f9ce063d61c43f93b4e38210d638451c21eb9b2ea5b0690f850d10bb5451648450de27da2c70cd89a2655177561b80ca10bf412c7c7abecd32a9f187
SSDEEP

12288:MOpNXkUUB1ZyCRvx+OwStQMGZpjI11nrTXNfFvj2:JNW1IIx+OnQMKa1pHXNfFb2

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.tpcdel.com
Port:
587
Username:
[email protected]
Password:
EmlP@2018

Targets

- Target
  
  CV_pdf.exe
- Size
  
  2.7MB
- MD5
  
  4c2265e61a16f5ce7948ceaba1a66261
- SHA1
  
  9b9e7b415033f70a73289b388380d6eff0a21570
- SHA256
  
  c72517c46d036980630aa4bd15a17dd7b5aa3a3807b65410affe04f103d69e00
- SHA512
  
  259141552b403bbfa39ac9a5ef3baf6a3230345c40082ff40e53531fa2e9c4c8b43a2063d2e27101265d6e86f0c6629bccdfaabc1f95d4b46d0183d13ca3aefe
- SSDEEP
  
  3072:YgQR5j+wmnyVj/8+nNt/YIl0mugjSw88YTOjDhdMK1dysr7CVXSkcEvmnKpMko4X:UJhN8hywYgEhCevPQw
Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Modifies WinLogon for persistence
  persistence
- AgentTesla payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2