agenttesla

General

Target

65d33bde1b9e3d11e7b3ce0767fd22ec.bin
Size

642KB
Sample

240913-bqfbxawhqg
MD5

d8f77ce22d435f9f423e72a7659e4117
SHA1

4803393487d468aa0833e391c7f8ce3173664883
SHA256

8314c08237812a03249735937db7b1b6b1a1c3135f38c52c4980e6205da3e5ff
SHA512

58444debba9645cddefae37cafc1913450e1f11562e6ca7116ff7b69dff603b81dea843746ea67ceb022b097d72f05cdf447e5bfed3a6f0a71bb5bed4415eb7e
SSDEEP

12288:9fRs4Dv9BdINZNYOJKaJDxk4NdO0DCnOsNKirJ2y0n:lRs4KNZNYO8aJ17NdO0OOn+o

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Password: )NYyffR0
Email To:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Password: )NYyffR0

Targets

- Target
  
  8eadfc2a0f3dce9b786340417545bc64a10dbd32e8677bbcf61929df787d4055.exe
- Size
  
  851KB
- MD5
  
  65d33bde1b9e3d11e7b3ce0767fd22ec
- SHA1
  
  bf2496621ae5c35c3ba4056af0290ba1104c7056
- SHA256
  
  8eadfc2a0f3dce9b786340417545bc64a10dbd32e8677bbcf61929df787d4055
- SHA512
  
  7b5ae1a98fbcf8196b9d8a4cd856e4bb7a8cfbc996ac9b792e8cfee2b670c76ab64ab7a478a7b142bdb03b86cacc803b984ebac302a095eff4f0cb10ff09a318
- SSDEEP
  
  12288:0e2VXNGg3VBx6k/+Ac0ZXN07M8NHNOraQ5ZCKaGSTij9N/Uu49f2FSWuEz8/A1yp:0e2zsk55m7M8NH8RCAIu49O8jEA/G
Score

10^/10

agenttesla credential_access discovery execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2