agenttesla

General

Target

9c7df3a3e8174fcad51ce98aa8875fd72b8e7acadb309ad8b6ac59e8a0c1d65d.exe
Size

847KB
Sample

241008-y5l5bswglg
MD5

653f74e2e06766000c9b6e97b8693b15
SHA1

ca8bed0df626ded2808ebd9fb0d9f533cc140304
SHA256

9c7df3a3e8174fcad51ce98aa8875fd72b8e7acadb309ad8b6ac59e8a0c1d65d
SHA512

3397f6306edd32f05451876a13d4dac89513b4a5bcbbc4dec4c8f06f879718bbca38fc642d9b0479a9339d393775f3b499c97a0c15bb378014471a1183a4fbe9
SSDEEP

12288:RrGBRNCq8JXtRHVZ7WnAO2poRl2oy8ZCsnOkZGgLc3z3Cm:8j2JLHV5iAO26RlVnnOkZGxz3

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.iaa-airferight.com
Port:
587
Username:
[email protected]
Password:
webmaster
Email To:
[email protected]

Targets

- Target
  
  9c7df3a3e8174fcad51ce98aa8875fd72b8e7acadb309ad8b6ac59e8a0c1d65d.exe
- Size
  
  847KB
- MD5
  
  653f74e2e06766000c9b6e97b8693b15
- SHA1
  
  ca8bed0df626ded2808ebd9fb0d9f533cc140304
- SHA256
  
  9c7df3a3e8174fcad51ce98aa8875fd72b8e7acadb309ad8b6ac59e8a0c1d65d
- SHA512
  
  3397f6306edd32f05451876a13d4dac89513b4a5bcbbc4dec4c8f06f879718bbca38fc642d9b0479a9339d393775f3b499c97a0c15bb378014471a1183a4fbe9
- SSDEEP
  
  12288:RrGBRNCq8JXtRHVZ7WnAO2poRl2oy8ZCsnOkZGgLc3z3Cm:8j2JLHV5iAO26RlVnnOkZGxz3
Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2