agenttesla

General

Target

ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1
Size

923KB
Sample

241124-bktmcasmgj
MD5

c214377ddbfc6b4721db28b83e381edd
SHA1

8ca975d7e8a3a581659076d09147cb2e1ff95b99
SHA256

ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1
SHA512

c9ed14ecfa7fbb127ea25eb97ae17c4e4f292dbc7ad18aa4d98dccac57859125d4b7333cd95e0e52d476ad4b7f6365000f61a047e498c5f6335c03ab85ef1319
SSDEEP

24576:kk7vQavyVoyXO+Q0drrgWID8TUo0yLWXTAxs0Ts:x7vQavyGZ2xrgWIUJLmYVo

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.bursaplastik.com
Port:
587
Username:
[email protected]
Password:
ahm155
Email To:
[email protected]

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1982610890:AAFCcNp1Tl28ILhhdWKR-lR4Xpa_V1kwvCk/sendMessage?chat_id=860277004

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

91.92.109.70:5353

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

professor

C2

91.92.109.70:9412

Attributes

auth_value
e49ffb4df6cacbfbb1d4dc8e6b137a0a

Targets

- Target
  
  ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1
- Size
  
  923KB
- MD5
  
  c214377ddbfc6b4721db28b83e381edd
- SHA1
  
  8ca975d7e8a3a581659076d09147cb2e1ff95b99
- SHA256
  
  ef7fb11fdb85d8824af5f3b20e6aeaa0531c0d718d3d11dc04948a5d924bb0c1
- SHA512
  
  c9ed14ecfa7fbb127ea25eb97ae17c4e4f292dbc7ad18aa4d98dccac57859125d4b7333cd95e0e52d476ad4b7f6365000f61a047e498c5f6335c03ab85ef1319
- SSDEEP
  
  24576:kk7vQavyVoyXO+Q0drrgWID8TUo0yLWXTAxs0Ts:x7vQavyGZ2xrgWIUJLmYVo
Score

10^/10

agenttesla asyncrat redline sectoprat snakekeylogger default professor collection credential_access discovery infostealer keylogger rat spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- SectopRAT
  SectopRAT is a remote access trojan first seen in November 2019.
  trojan rat sectoprat
- SectopRAT payload
- Sectoprat family
  sectoprat
- Snake Keylogger
  Keylogger and Infostealer first seen in November 2020.
  stealer keylogger snakekeylogger
- Snake Keylogger payload
- Snakekeylogger family
  snakekeylogger
- AgentTesla payload
- Async RAT payload
  rat
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2