agenttesla

General

Target

c989b2909398f02c4d83aa9af041d9d9_JaffaCakes118
Size

265KB
Sample

240829-ytp2va1akq
MD5

c989b2909398f02c4d83aa9af041d9d9
SHA1

5aeb2bf224c9c85faeaa0fa1d597922f7020b18f
SHA256

340a1019886e0ecc7af290da92dad1389d53d91c2b0887b4cf631ef01be1591d
SHA512

8b955328346ca3cf3e19400c47c6c43d5cae289ee0cede0373d0dd37e9e9c21024562d89352303d7cd5b82028ace45cf40c87a4b8a4841c3ea31889cde71eaa4
SSDEEP

6144:SuMeeuMBD1getA+668oEMW30DJS48Dkc/X8bTwdLmLpSThuD:STeGD1gYAis1mJp8DkhLsToD

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.totalise.co.uk
Port:
587
Username:
[email protected]
Password:
Password1

Targets

- Target
  
  PI-897657546.exe
- Size
  
  619KB
- MD5
  
  bce45e9ce0d7582aadf9258a7f2c11d4
- SHA1
  
  e6364b28735b2612a871f13bbe0186775a6f3dbd
- SHA256
  
  7e6df8e621709bf5a958031c2826bc1dccc91cc36fc47e783504342061f7f67c
- SHA512
  
  9704c9c52a77e04d6f6d54e73ff7acfc4bb2b69cff20f44d2bfaa15154fa8935d7e3a893a5645bccba2af74fc00e9c4f606e4432d665bec74f5362ac7a6cc348
- SSDEEP
  
  6144:3aUPSc6VEJD6LpMWHPjsk3yzS5saUQq4MKtPxXJ6/mydrhCfiOp90o9rL9R8:3aUb6VEt6jHrr33qvKJ9JCoiA9RPA
Score

10^/10

agenttesla agilenet collection credential_access defense_evasion discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- System Binary Proxy Execution: InstallUtil
  Abuse InstallUtil to proxy execution of malicious code.
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2