agenttesla

General

Target

aba609a693cd895ebfcdbf496c118e89_JaffaCakes118
Size

542KB
Sample

240819-tfm8waxapl
MD5

aba609a693cd895ebfcdbf496c118e89
SHA1

972e78e14ee4042d0cd1ceac5fd0929f36bd6329
SHA256

bbeb4233e43c54abd02d91cace9dadc38ac342fc113700d80b9eec62644470c0
SHA512

1eccec9f7f929e5a5d452434ec090575dcfa64eca454171e14218c527eb9b36c5af1df1d6ebc3915115a96e87641c71baf75aa19fba5ed22d55f776accb1c0d3
SSDEEP

12288:ZuNj3ysHBbPUk0fIYmSZ0h26uFVHuHippSQe6iM4kEaRsA:ZuNj3LBbMeYj0gFV15P4kEaRv

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bsia.co.in
Port:
587
Username:
[email protected]
Password:
21mbsia@)@!Y

Targets

- Target
  
  SHIPPING ADV#GOLDEN TULIP.exe
- Size
  
  593KB
- MD5
  
  e498dda8fe626edf1a7429f17413e8f6
- SHA1
  
  833346d5a94513284b16e46684d452c29f8383b9
- SHA256
  
  33d1ee08ec2436549562ef8eca03677c79392f03b8398616c635c4f22026f89e
- SHA512
  
  9bf609fe600dda6e6cb95ca180f2ae3fdc1b07e1c0e84b7e1da1f4c449f071aa2be67084b0af22b86addd58137db55ed3f00f8082923d916f1a3135f48c77ab7
- SSDEEP
  
  12288:F6fn1r3yqlBbFUAKf2YiSZsV06u3VHWV9bFQekoMckMsReb:gv1r31BbScYXs63VEbMBckM0eb
Score

10^/10

agenttesla collection credential_access discovery evasion execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Looks for VirtualBox Guest Additions in registry
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2