agenttesla

General

Target

4df8137744b852e25c6864097f8fa0aaceb424abfd5ea5e74d876ba3347e7508.exe
Size

689KB
Sample

240904-by1b2stemb
MD5

6a161ccccb65f9df1da9db2e30407ba6
SHA1

4006dd425ccaab9319ef16f7df77956b518835bb
SHA256

4df8137744b852e25c6864097f8fa0aaceb424abfd5ea5e74d876ba3347e7508
SHA512

928db8496ca2a0e4b36f6faef53ee9703cf63ee4ba3c10ac1a32634b8075936fe5802c26aaeb302e66f559cc9c6a8fb5ebd76ba5011ee1a2ea580d557d3810a6
SSDEEP

12288:SzjLf30WH03GqQPiwsj7L8pyZvAZqGiZf9Uigfdoq0ZYaFtMpLDtGq3:sjj0yRownp4YZ34uLfH0ZOd5Gq

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Password: )NYyffR0
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Password: )NYyffR0

Targets

- Target
  
  4df8137744b852e25c6864097f8fa0aaceb424abfd5ea5e74d876ba3347e7508.exe
- Size
  
  689KB
- MD5
  
  6a161ccccb65f9df1da9db2e30407ba6
- SHA1
  
  4006dd425ccaab9319ef16f7df77956b518835bb
- SHA256
  
  4df8137744b852e25c6864097f8fa0aaceb424abfd5ea5e74d876ba3347e7508
- SHA512
  
  928db8496ca2a0e4b36f6faef53ee9703cf63ee4ba3c10ac1a32634b8075936fe5802c26aaeb302e66f559cc9c6a8fb5ebd76ba5011ee1a2ea580d557d3810a6
- SSDEEP
  
  12288:SzjLf30WH03GqQPiwsj7L8pyZvAZqGiZf9Uigfdoq0ZYaFtMpLDtGq3:sjj0yRownp4YZ34uLfH0ZOd5Gq
Score

10^/10

agenttesla credential_access discovery execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2