agenttesla

General

Target

af5d33f6d6968f482d8cee26b7d9d4f809525de3854f25dcf187e611445dfaf3
Size

1.4MB
Sample

241018-bndqasxfmh
MD5

1999e8e9a0a7a5d981800ad2787d2b49
SHA1

85fc0e7659449b5e9dbac992c75575cd0b90bb81
SHA256

af5d33f6d6968f482d8cee26b7d9d4f809525de3854f25dcf187e611445dfaf3
SHA512

1e8e844c58f6f0d5b0b114d5ee3c3a30eeb3a4595288ba871dfebe7083a0272569b07a4feaef4f57bb6180ad5d9a29dd90bc67bdfa47e9cc297b7672d4e5161e
SSDEEP

24576:4w5i2E3kkGk359DsibOF+17TWdg0F7RR:41l59DdOF+17TWSyR

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Targets

- Target
  
  Order 10172024.bat
- Size
  
  860KB
- MD5
  
  b0c43a399cb887cecbb33049458c1734
- SHA1
  
  b87560b57a5dc09b7f10ec4c4b5bb375f110a76b
- SHA256
  
  5105db90f81f4ef84db840b9e9e0e1d593448607fddfe9f4b6d6240ad994c241
- SHA512
  
  b1bfe4519d32f17922362ba7fa818ae988fa37ee7b06710d2aad7961694eecf77f7d1ffff4ef05969ae20c5daedbdb963bce943367dc45744087cd9da6cd0676
- SSDEEP
  
  24576:xw5i2E3kkGk359DsibOF+17TWdg0F7RR5:x1l59DdOF+17TWSyR5
Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  4d3b19a81bd51f8ce44b93643a4e3a99
- SHA1
  
  35f8b00e85577b014080df98bd2c378351d9b3e9
- SHA256
  
  fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
- SHA512
  
  b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622
- SSDEEP
  
  192:BPtkumJX7zB22kGwfy0mtVgkCPOse1un:u702k5qpdseQn
Score

3^/10

discovery
behavioral3 behavioral4