agenttesla

General

Target

f3b087907b571171ca9235a12c00d509_JaffaCakes118
Size

499KB
Sample

240924-p66qpaygpd
MD5

f3b087907b571171ca9235a12c00d509
SHA1

7061e830aa0ed2d5acb6f40076159b8628e06793
SHA256

6f0a01a329fd07fd8b435ca1b6f3e69c7b32e11fa145681d85fa244e97a1c3ca
SHA512

33a2d40f9592635ca9909c27f54c10e5cf5ef69d04f26ab392e831c1dfadf49feb895aa9ea8a24c16119ea051ae2ff3fb59746b1540c57c31139fd87cf2b36ce
SSDEEP

12288:smbKMScP7tEGEA5RROFY/3b9KNF7DKL7po8b15:9JZ5egUTDmVvbT

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
PUBLIC12345.@!!@

Targets

- Target
  
  Proforma Invoice.exe
- Size
  
  708KB
- MD5
  
  ce283c28a7441d2197b14faad7eccb38
- SHA1
  
  805e2221564dda4603cb6975c1ac51cd50afa030
- SHA256
  
  ba9c641828f465a988c43c858463602faadc4bc688b5b58d9a80bd25fd45a4d6
- SHA512
  
  8d4659f08858799b2fc51d15887b562597c8cbc489bd5e44bf0dad1ff8ffbcfaa537b6a41b5150cca3e0792c5836574ac251ebe76741c60c7ba2858d08b79d5e
- SSDEEP
  
  12288:AEGPYMScPFtEGTaxF+gIAtF5O0JwFK1ftPLAJu9douc7N:zGPdnXaKpsT2A257N
Score

10^/10

agenttesla collection credential_access discovery execution keylogger persistence privilege_escalation spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- AgentTesla payload
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Start PowerShell.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2