agenttesla | e84663ab628ea34d3c8af99e48cb6eb9012ac694a8cf5d2dea8890e40bd870f2 | Triage

Sharing

General

Target

e84663ab628ea34d3c8af99e48cb6eb9012ac694a8cf5d2dea8890e40bd870f2
Size

634KB
Sample

241121-bhrpzaxlhw
MD5

b77c277a7a050e95c6248e0baaf9e794
SHA1

64e6e19f4ac2f9d99e40993cedef12b5362497d2
SHA256

e84663ab628ea34d3c8af99e48cb6eb9012ac694a8cf5d2dea8890e40bd870f2
SHA512

908d3f443deb5bfbd0573cca90edf6595b98487a45491937ed95c68f05171167dbee41c6cf1ed4ee2aa3f029f5e0f65baadba2a7618bd89729402bd77823809d
SSDEEP

12288:JOAgFdodxJJ3HBz3XqrNLMo4Ozj1enA1u9Ygv4bRi5YW8BPXgsR:sAggxnhTXcV4Oknn9YG4HW8Bfg

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.solucionesmexico.mx
Port:
21
Username:
[email protected]
Password:
dGG^ZYIxX5!B

Extracted

Credentials

Protocol: ftp
Host:
ftp.solucionesmexico.mx
Port:
21
Username:
[email protected]
Password:
dGG^ZYIxX5!B

Targets

- Target
  
  e84663ab628ea34d3c8af99e48cb6eb9012ac694a8cf5d2dea8890e40bd870f2
- Size
  
  634KB
- MD5
  
  b77c277a7a050e95c6248e0baaf9e794
- SHA1
  
  64e6e19f4ac2f9d99e40993cedef12b5362497d2
- SHA256
  
  e84663ab628ea34d3c8af99e48cb6eb9012ac694a8cf5d2dea8890e40bd870f2
- SHA512
  
  908d3f443deb5bfbd0573cca90edf6595b98487a45491937ed95c68f05171167dbee41c6cf1ed4ee2aa3f029f5e0f65baadba2a7618bd89729402bd77823809d
- SSDEEP
  
  12288:JOAgFdodxJJ3HBz3XqrNLMo4Ozj1enA1u9Ygv4bRi5YW8BPXgsR:sAggxnhTXcV4Oknn9YG4HW8Bfg
Score

10^/10

agenttesla discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agenttesladiscoverykeyloggerspywarestealertrojan

behavioral2

agenttesladiscoverykeyloggerspywarestealertrojan