agenttesla

General

Target

631f31e83817663a0e56b4fdf3643d150f5a84a5cdf7e61da773d9985b4ef9c5.img
Size

1.2MB
Sample

241205-c47trazpdl
MD5

65d6a736eb794fc138eae7c254cf1c7c
SHA1

4145f7523c5cadfd714c4c4acf36b0cac3d9331a
SHA256

631f31e83817663a0e56b4fdf3643d150f5a84a5cdf7e61da773d9985b4ef9c5
SHA512

2c178b112c195597257145c7cb6a02a937a5751c2b03ef4cb2c2459b71c1653a52a5d7cae05be4ee50c7a4f752cffcefc4c2ec0afd11329d9c82bce3b50a9a35
SSDEEP

12288:SHadcxTchoKjyaOA/krybKcHGLoejfuLo8i5Zk:eadhaKuaOA/NYfuLo8iHk

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Targets

- Target
  
  Documenti di spedizione.bat
- Size
  
  588KB
- MD5
  
  a10e959289c077bc452de5c48abd7262
- SHA1
  
  9b295da45f8cc4fa5e5b94ba1ad3de93c617eadf
- SHA256
  
  e246806c6b16a736f29c6c3677c9f9263c8a0dc347a92a4f2606e93b13aec707
- SHA512
  
  67e5e6cd4f850f889cc09ee909310691968dc6f44c8ab2a2c1628a42605c42b6c767fefe5454d6d29fbf0aeced3f99626f5bf4037a2f3de942a0156318015778
- SSDEEP
  
  12288:tHadcxTchoKjyaOA/krybKcHGLoejfuLo8i5Zk4:VadhaKuaOA/NYfuLo8iHk4
Score

10^/10

discovery agenttesla guloader downloader keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  192639861e3dc2dc5c08bb8f8c7260d5
- SHA1
  
  58d30e460609e22fa0098bc27d928b689ef9af78
- SHA256
  
  23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
- SHA512
  
  6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
- SSDEEP
  
  192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr
Score

3^/10

discovery
behavioral3 behavioral4