agenttesla

General

Target

fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b.exe
Size

1016KB
Sample

241019-dae3basfrh
MD5

d6d14fc73f7e485b864a1dc1d8fde8f9
SHA1

85a6480abc0f54dafff5e4bc2b996e7655f91b2b
SHA256

fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b
SHA512

00a35cbb44902a58349995ac90800a935df7d28e5e81f3fbd786375be29d7b8dbfb974849046590c0f98702c6f21dbca7a40b5130aca80d84a9c44ee0374061c
SSDEEP

12288:m4OpVuMv6/eGOFqi0isX8G2WJHkQ50g/s2QkPICHYA1U+IauB:/g/0yqiwv0f2SCHYAC+I9

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Targets

- Target
  
  fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b.exe
- Size
  
  1016KB
- MD5
  
  d6d14fc73f7e485b864a1dc1d8fde8f9
- SHA1
  
  85a6480abc0f54dafff5e4bc2b996e7655f91b2b
- SHA256
  
  fff67160a40353338a0eb9ee2acb6cd15de640023ef8a819d6595ef34493757b
- SHA512
  
  00a35cbb44902a58349995ac90800a935df7d28e5e81f3fbd786375be29d7b8dbfb974849046590c0f98702c6f21dbca7a40b5130aca80d84a9c44ee0374061c
- SSDEEP
  
  12288:m4OpVuMv6/eGOFqi0isX8G2WJHkQ50g/s2QkPICHYA1U+IauB:/g/0yqiwv0f2SCHYAC+I9
Score

10^/10

agenttesla guloader discovery downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  3f176d1ee13b0d7d6bd92e1c7a0b9bae
- SHA1
  
  fe582246792774c2c9dd15639ffa0aca90d6fd0b
- SHA256
  
  fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
- SHA512
  
  0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6
- SSDEEP
  
  192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
Score

3^/10

discovery
behavioral3 behavioral4