agenttesla

General

Target

34556da1056e4de25cecead015de295a_JaffaCakes118
Size

545KB
Sample

241011-l9dbrsxekb
MD5

34556da1056e4de25cecead015de295a
SHA1

37c4e19c6e435837323977722e8917f32f029825
SHA256

a7eeb6c03f4571ee4092402213f2882d0f3f7b0f5237020bb36fea588aa33ac1
SHA512

252abe7cfb91463d298ad77af1824d725551e13981694e5bb3cfc561e3d699ff0919585a8c03d0be9dcea5836ceaccb61a5deb18d97ae293f6b14ec9bac5f10d
SSDEEP

12288:odDjmKYCx8kRc5nj6fQ8t9hmKi1dTTgIM0:oFjmKvxfe5n+o09hmv1dTThM0

Score

10^/10

Malware Config

Targets

- Target
  
  34556da1056e4de25cecead015de295a_JaffaCakes118
- Size
  
  545KB
- MD5
  
  34556da1056e4de25cecead015de295a
- SHA1
  
  37c4e19c6e435837323977722e8917f32f029825
- SHA256
  
  a7eeb6c03f4571ee4092402213f2882d0f3f7b0f5237020bb36fea588aa33ac1
- SHA512
  
  252abe7cfb91463d298ad77af1824d725551e13981694e5bb3cfc561e3d699ff0919585a8c03d0be9dcea5836ceaccb61a5deb18d97ae293f6b14ec9bac5f10d
- SSDEEP
  
  12288:odDjmKYCx8kRc5nj6fQ8t9hmKi1dTTgIM0:oFjmKvxfe5n+o09hmv1dTThM0
Score

10^/10

agenttesla agilenet collection credential_access discovery keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2