agenttesla

General

Target

ZAMOWIEN.EXE.exe
Size

443KB
Sample

241008-jftesawbrr
MD5

e48da20cb37e235145461d1ef93d560e
SHA1

cbea11aeb4c0ce13c251b5f9bf13560882602a9b
SHA256

f1a872932afe6964f188d3ddd0f2c2dfa639bfcdfd1baff74bdcd5eca8f815c9
SHA512

276d051174944b9fca11e21db397fb462296d870faf11fc41b57335acddf475f641df74f4ffadeeb38a014ee1819ad185ad08f3d16d62aeb73d456332ade56a0
SSDEEP

6144:NqC56ALcmpQFbVySc2pMOooOZFC7PPH9OvuGnzH6JOSOs+VrPfh8RBq/q4+96YJ0:KA9WL5c2pE8PHZGT64P5aRIle5FVaFzf

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.carbognin.it
Port:
21
Username:
[email protected]
Password:
59Cif8wZUH#X

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.carbognin.it
Port:
21
Username:
[email protected]
Password:
59Cif8wZUH#X

Targets

- Target
  
  ZAMOWIEN.EXE.exe
- Size
  
  443KB
- MD5
  
  e48da20cb37e235145461d1ef93d560e
- SHA1
  
  cbea11aeb4c0ce13c251b5f9bf13560882602a9b
- SHA256
  
  f1a872932afe6964f188d3ddd0f2c2dfa639bfcdfd1baff74bdcd5eca8f815c9
- SHA512
  
  276d051174944b9fca11e21db397fb462296d870faf11fc41b57335acddf475f641df74f4ffadeeb38a014ee1819ad185ad08f3d16d62aeb73d456332ade56a0
- SSDEEP
  
  6144:NqC56ALcmpQFbVySc2pMOooOZFC7PPH9OvuGnzH6JOSOs+VrPfh8RBq/q4+96YJ0:KA9WL5c2pE8PHZGT64P5aRIle5FVaFzf
Score

10^/10

discovery execution agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Sakset.Res
- Size
  
  52KB
- MD5
  
  87d2841aab88bd011520d4b98298992f
- SHA1
  
  cbdf74d62edcca1c96f44929c396383a405252f8
- SHA256
  
  158c5134e2910f62d058a85124b81070ba5953276b7a0354ecb5fcc20db58b95
- SHA512
  
  98d6af4ebafdd61012e0e8daf6c73526e016783f710bda0a17be859d9e9bf7411e914ff531d93b276f206713d47612a252d5bf27329044f8c7fb1a096311a603
- SSDEEP
  
  1536:aTWK9EAa2SsfqrQwGXkNJAHBJOYhFQTWfT:aP9EOk0kshJNayT
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4