agenttesla

General

Target

e4abeca3f1e138479cda142530fbc810N
Size

585KB
Sample

240909-cbwk1syepd
MD5

e4abeca3f1e138479cda142530fbc810
SHA1

5b010c25a6b4702d6d0ea9c48d2a3339de5d5182
SHA256

b50fc7113a6c52967913e5bada3755364af76c2188ed621af5f23c3669648425
SHA512

93b8dea3bc03d88c1ac6e6b0e171f3db2153f73c139dc513b6ee16c74f4499461e92cf06bf2421fef2463f0441f8db655c1c4ae38c2c1705fe805035e31a5ab3
SSDEEP

12288:yYV6MorX7qzuC3QHO9FQVHPF51jgcdF++2Jw4THc7E6mVIE:BBXu9HGaVHWxJwGHcg6mv

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.antoniomayol.com:21
Port:
21
Username:
[email protected]
Password:
cMhKDQUk1{;%

Targets

- Target
  
  e4abeca3f1e138479cda142530fbc810N
- Size
  
  585KB
- MD5
  
  e4abeca3f1e138479cda142530fbc810
- SHA1
  
  5b010c25a6b4702d6d0ea9c48d2a3339de5d5182
- SHA256
  
  b50fc7113a6c52967913e5bada3755364af76c2188ed621af5f23c3669648425
- SHA512
  
  93b8dea3bc03d88c1ac6e6b0e171f3db2153f73c139dc513b6ee16c74f4499461e92cf06bf2421fef2463f0441f8db655c1c4ae38c2c1705fe805035e31a5ab3
- SSDEEP
  
  12288:yYV6MorX7qzuC3QHO9FQVHPF51jgcdF++2Jw4THc7E6mVIE:BBXu9HGaVHWxJwGHcg6mv
Score

10^/10

agenttesla credential_access discovery keylogger spyware stealer trojan upx
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Credentials from Password Stores: Credentials from Web Browsers

Drops startup file

Executes dropped EXE

Loads dropped DLL

UPX packed file

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2