agenttesla

General

Target

5105db90f81f4ef84db840b9e9e0e1d593448607fddfe9f4b6d6240ad994c241.exe
Size

860KB
Sample

241018-b4xhcaygje
MD5

b0c43a399cb887cecbb33049458c1734
SHA1

b87560b57a5dc09b7f10ec4c4b5bb375f110a76b
SHA256

5105db90f81f4ef84db840b9e9e0e1d593448607fddfe9f4b6d6240ad994c241
SHA512

b1bfe4519d32f17922362ba7fa818ae988fa37ee7b06710d2aad7961694eecf77f7d1ffff4ef05969ae20c5daedbdb963bce943367dc45744087cd9da6cd0676
SSDEEP

24576:xw5i2E3kkGk359DsibOF+17TWdg0F7RR5:x1l59DdOF+17TWSyR5

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Targets

- Target
  
  5105db90f81f4ef84db840b9e9e0e1d593448607fddfe9f4b6d6240ad994c241.exe
- Size
  
  860KB
- MD5
  
  b0c43a399cb887cecbb33049458c1734
- SHA1
  
  b87560b57a5dc09b7f10ec4c4b5bb375f110a76b
- SHA256
  
  5105db90f81f4ef84db840b9e9e0e1d593448607fddfe9f4b6d6240ad994c241
- SHA512
  
  b1bfe4519d32f17922362ba7fa818ae988fa37ee7b06710d2aad7961694eecf77f7d1ffff4ef05969ae20c5daedbdb963bce943367dc45744087cd9da6cd0676
- SSDEEP
  
  24576:xw5i2E3kkGk359DsibOF+17TWdg0F7RR5:x1l59DdOF+17TWSyR5
Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  4d3b19a81bd51f8ce44b93643a4e3a99
- SHA1
  
  35f8b00e85577b014080df98bd2c378351d9b3e9
- SHA256
  
  fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
- SHA512
  
  b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622
- SSDEEP
  
  192:BPtkumJX7zB22kGwfy0mtVgkCPOse1un:u702k5qpdseQn
Score

3^/10

discovery
behavioral3 behavioral4