agenttesla

General

Target

e227553773752db6e7826a42a909f0dd3b47e4bbd07a906a50eda9867c079dc8.rar
Size

631KB
Sample

240912-nanpkashqq
MD5

d1239870292a94f3852f41fa4e6765be
SHA1

9c84a687ed867f7c03c77f27e74b09339b7f82c2
SHA256

e227553773752db6e7826a42a909f0dd3b47e4bbd07a906a50eda9867c079dc8
SHA512

ece2114910e37784d3f0393c30e1d62f102eb4ecb389a6750b391e897de49cccba5df687886a555c7595d8ec7edd9856616809430165fa384457d072f1b14782
SSDEEP

12288:R5IuBF+i5HSZViZwSbozPmJxYSqgXn8YVyxokuCo29Es:RTRSZzSbKmjnpn8YVyxTvo2+s

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.haliza.com.my
Port:
21
Username:
[email protected]
Password:
JesusChrist007$

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.haliza.com.my
Port:
21
Username:
[email protected]
Password:
JesusChrist007$

Targets

- Target
  
  PO__20248099-1 12,300PCS.exe
- Size
  
  675KB
- MD5
  
  8cdc5879e6a0549f96cf83f5bd68a2c9
- SHA1
  
  1f5c0c35831864f6b9b5882b7e0fff5f7cec608d
- SHA256
  
  b7f92bbf59df7cfb571012b7aefa91bdc9f25b9cbced01e91dec5b0fc1380f7e
- SHA512
  
  9615466d53171e7e5eaa365bc540e5e6d3153afb651c097ec02d5732758f4b22b4002fa593ff73180c1bfe31db261380ddaaa69dc456f9ec1d22f7950adf8655
- SSDEEP
  
  12288:iD7kvDoQxNvjcsO1tT2ZschG3XTCbBnwoEY+YQsaaSU6QaWpqSGacb:iDottcp1gZ5G3DCbVwh/YpaaSwa+qocb
Score

10^/10

agenttesla credential_access discovery execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2