agenttesla

General

Target

964b626022ea083fe9624f88d0371fa01fb6b3b4fa081e880d88a05bbf0654b3
Size

666KB
Sample

241016-btxelawaqg
MD5

0cc41f127fab597085bc6125dfc809f2
SHA1

1e36ce6c9d40f959628739b740e4e30cd4afa0b7
SHA256

964b626022ea083fe9624f88d0371fa01fb6b3b4fa081e880d88a05bbf0654b3
SHA512

2482ec6a288163d8fd55abced05ba885c65f88fc5b5de8bc81a987bd25dd855de2f22428125f264dec9a6ab3ffb7d8b55339147c68642a1bac6c37832e1a7e15
SSDEEP

12288:ONBi378Ezq6mFhbL5RGDuLHsomyplHD1YE5c9dJmsOZAjGQB7F0PgvD5Fb7E:ONg37Hq6iNLGsHcejj5c96ZOGQMPgNpE

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.ionos.es
Port:
587
Username:
[email protected]
Password:
luiyis353173
Email To:
[email protected]

Targets

- Target
  
  964b626022ea083fe9624f88d0371fa01fb6b3b4fa081e880d88a05bbf0654b3
- Size
  
  666KB
- MD5
  
  0cc41f127fab597085bc6125dfc809f2
- SHA1
  
  1e36ce6c9d40f959628739b740e4e30cd4afa0b7
- SHA256
  
  964b626022ea083fe9624f88d0371fa01fb6b3b4fa081e880d88a05bbf0654b3
- SHA512
  
  2482ec6a288163d8fd55abced05ba885c65f88fc5b5de8bc81a987bd25dd855de2f22428125f264dec9a6ab3ffb7d8b55339147c68642a1bac6c37832e1a7e15
- SSDEEP
  
  12288:ONBi378Ezq6mFhbL5RGDuLHsomyplHD1YE5c9dJmsOZAjGQB7F0PgvD5Fb7E:ONg37Hq6iNLGsHcejj5c96ZOGQMPgNpE
Score

10^/10

discovery execution agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Haarvksten/Nomenklaturerne.Bac
- Size
  
  53KB
- MD5
  
  67517d72ac10b11f81aa07fc2f994275
- SHA1
  
  71d255f09b46f34093786eec160120e6383b2f8c
- SHA256
  
  0af4117e1ded224818ab4c741022f2179af74cc0cf9fcc640efb73746baf4fe4
- SHA512
  
  1c1054233b654d8831c114b0f009a095a49c8805b13a2d756e5eedec477cddb2608ed0012b040a8736916e3226a5aebb4425eb6f3ee02e4338afe9816b923afe
- SSDEEP
  
  768:GTPdZlcIXV5loyDhTeT2qroJOgR08h5IhTviGxm83oq/VHDpbnVHxDy0V0DoinD2:GTlrcslmrrfS5IBiG+eJhr6/nA3l
Score

8^/10

execution persistence
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral3 behavioral4