agenttesla

General

Target

Page1.exe
Size

784KB
Sample

240829-gqfkkaxale
MD5

02e06b3b97fc5955aa6717e6105e80c8
SHA1

c9e9e3ddf3fb4617b5044fac7fbce9dca78e531c
SHA256

a615aab871aec3a91dcc6f33f94a3b8b02d6033b5624fb392666fb3cfb3d114b
SHA512

ff4d0c30342b8d4138f85995cc391161986894cbd466ccc16921b8b7b04b093f2233ea8fd3bdfcc4fdf1e391518863d29f9ff48fc55bc206dc133dbd599c9ca3
SSDEEP

12288:NmHANG3RciXOT44AU3LBOQznSifmmMLQFGOL907i4y/tspQrhEgTmLREAgnWY:QHxcKfQVMLQzmu4kts+KrahW

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
oadc jzrw bmvr klnl

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
oadc jzrw bmvr klnl
Email To:
[email protected]

Targets

- Target
  
  Page1.exe
- Size
  
  784KB
- MD5
  
  02e06b3b97fc5955aa6717e6105e80c8
- SHA1
  
  c9e9e3ddf3fb4617b5044fac7fbce9dca78e531c
- SHA256
  
  a615aab871aec3a91dcc6f33f94a3b8b02d6033b5624fb392666fb3cfb3d114b
- SHA512
  
  ff4d0c30342b8d4138f85995cc391161986894cbd466ccc16921b8b7b04b093f2233ea8fd3bdfcc4fdf1e391518863d29f9ff48fc55bc206dc133dbd599c9ca3
- SSDEEP
  
  12288:NmHANG3RciXOT44AU3LBOQznSifmmMLQFGOL907i4y/tspQrhEgTmLREAgnWY:QHxcKfQVMLQzmu4kts+KrahW
Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  f1e9eed02db3a822a7ddef0c724e5f1f
- SHA1
  
  65864992f5b6c79c5efbefb5b1354648a8a86709
- SHA256
  
  6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df
- SHA512
  
  c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c
- SSDEEP
  
  48:S46+/fTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mjsofjLl:zRuPbOBtWZBV8jAWiAJCdv2Cmj/L
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  17ed1c86bd67e78ade4712be48a7d2bd
- SHA1
  
  1cc9fe86d6d6030b4dae45ecddce5907991c01a0
- SHA256
  
  bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
- SHA512
  
  0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5
- SSDEEP
  
  192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
Score

3^/10

discovery
behavioral5 behavioral6