agenttesla

General

Target

eb03c5a0e34543a3953a2cbc2c043ef8bc46f73222881bcf250f50295a3fcd53
Size

1.3MB
Sample

241109-bysbfaxjcl
MD5

7cfb4f45b09356fe91d70b2a1e814dc5
SHA1

7ead9913e5072fba488f91227bd816d7d7b1fad2
SHA256

eb03c5a0e34543a3953a2cbc2c043ef8bc46f73222881bcf250f50295a3fcd53
SHA512

279ff37254f88eb629bd07e27007987a4dfbff8ee45da2c65815fd69a33c1f20a03cb09478c143cc4586732ccb9e2545f7b1842e10a9330255dddd4757556d57
SSDEEP

24576:Z2UQlS3rdEooqXXrKZmET6smDKGMYULltywNhRx:8MheZCsmDKxdLltykB

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
s82.gocheapweb.com
Port:
587
Username:
[email protected]
Password:
london@1759
Email To:
[email protected]

Targets

- Target
  
  eb03c5a0e34543a3953a2cbc2c043ef8bc46f73222881bcf250f50295a3fcd53
- Size
  
  1.3MB
- MD5
  
  7cfb4f45b09356fe91d70b2a1e814dc5
- SHA1
  
  7ead9913e5072fba488f91227bd816d7d7b1fad2
- SHA256
  
  eb03c5a0e34543a3953a2cbc2c043ef8bc46f73222881bcf250f50295a3fcd53
- SHA512
  
  279ff37254f88eb629bd07e27007987a4dfbff8ee45da2c65815fd69a33c1f20a03cb09478c143cc4586732ccb9e2545f7b1842e10a9330255dddd4757556d57
- SSDEEP
  
  24576:Z2UQlS3rdEooqXXrKZmET6smDKGMYULltywNhRx:8MheZCsmDKxdLltykB
Score

10^/10

modiloader discovery trojan agenttesla execution keylogger persistence spyware stealer
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modiloader family
  modiloader
- ModiLoader Second Stage
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2