agenttesla

General

Target

827e98b504fbb413f8015d78cf5ea7a7105f800d48bb2205993d957591a679a6
Size

697KB
Sample

241218-bh8cqaxmfl
MD5

340d278f006bf19f78516f920e25b0b1
SHA1

4607d19159a2e37437a3770d3d427571fe123e0e
SHA256

827e98b504fbb413f8015d78cf5ea7a7105f800d48bb2205993d957591a679a6
SHA512

b59aa79a8f74f8b00d8784ee04379c4af97ac055e5da5c714d2c2494c7c5b44ce3dbe812f7ce88ec6be1c10bb93cdf0980db53f816802b42b5dfe91dc0c1eb05
SSDEEP

12288:/EpKPTbkGkdfarXpGtF/Zl++EbPvsDx0rwXAE1zWihF7zrqqIat8oVX7p0fy2GB:/EoPsjfmXpGtFfLEbPKx2wXJ1zWi3r/7

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
nXe0M~WkW&nJ

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.ercolina-usa.com
Port:
21
Username:
[email protected]
Password:
nXe0M~WkW&nJ

Targets

- Target
  
  QUOTATION#008792.exe
- Size
  
  760KB
- MD5
  
  db39d1e9256aa4ad6fc88d0fe4f0fcda
- SHA1
  
  703cab44b0654a9d446529faebabd405711e9f43
- SHA256
  
  1512bb8d4a24e83570b89e5644503fc5d308b6f56c23d481bcf802dd78755735
- SHA512
  
  ffa9f0b78897c5f2c7df55d3a0558d06aa01278152cb6edf62b3a2119425b1a0e0017ae5294bca466a674e68ee45aa9eb6fe9ab5a44102c9618d33aaf04a9a2e
- SSDEEP
  
  12288:UlvGOMK7btF5GQ4SZzuWNVBv5xRKA8fZIVtt+qFqyAbchAdrZ3X3u+:UleSbtnF4SZiWNVBv5/8fZWtttqyAAAB
Score

10^/10

agenttesla discovery evasion execution keylogger persistence spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2