agenttesla

General

Target

Awb4586109146.bat.exe
Size

776KB
Sample

241218-l7km3awjgp
MD5

a3bb238f798a512f7465f804735b8f9a
SHA1

31c7c96a95c22e7f4ab58b0f5330c4c79172be79
SHA256

9775ae8b4fa626011fb022ede69e2ec2bec2b7868bb70bda276da0145b4b410f
SHA512

4038f9e8b93e6e4dfa4f4b7493bb2e5988ee29a2d91029fa136549f424140cf0a77426d8739d40e95c5ac943681b384bdeb966d84bce0693c24d578220c1365e
SSDEEP

24576:4dEqcVwnUAFPtUBCSoR94Ou2sgnqVNO7qg+E5cnj:HqcVwnhFPtU7oR3uIn6NAqDE5cnj

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.concaribe.com
Port:
21
Username:
[email protected]
Password:
ro}UWgz#!38E

Targets

- Target
  
  Awb4586109146.bat.exe
- Size
  
  776KB
- MD5
  
  a3bb238f798a512f7465f804735b8f9a
- SHA1
  
  31c7c96a95c22e7f4ab58b0f5330c4c79172be79
- SHA256
  
  9775ae8b4fa626011fb022ede69e2ec2bec2b7868bb70bda276da0145b4b410f
- SHA512
  
  4038f9e8b93e6e4dfa4f4b7493bb2e5988ee29a2d91029fa136549f424140cf0a77426d8739d40e95c5ac943681b384bdeb966d84bce0693c24d578220c1365e
- SSDEEP
  
  24576:4dEqcVwnUAFPtUBCSoR94Ou2sgnqVNO7qg+E5cnj:HqcVwnhFPtU7oR3uIn6NAqDE5cnj
Score

10^/10

discovery agenttesla keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  ab1db56369412fe8476fefffd11e4cc0
- SHA1
  
  daad036a83b2ee2fa86d840a34a341100552e723
- SHA256
  
  6f14c8f01f50a30743dac68c5ac813451463dfb427eb4e35fcdfe2410e1a913b
- SHA512
  
  8d886643b4fc24adf78f76b663227d6e61863f89e0cbd49548f40dd040666ca94ea46bec9e336850e4f300995d56e6dc85b689c8e09ff46758822d280f06b03d
- SSDEEP
  
  48:S46+/zTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mxofjLl:z5uPbOBtWZBV8jAWiAJCdv2CmAL
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  0d7ad4f45dc6f5aa87f606d0331c6901
- SHA1
  
  48df0911f0484cbe2a8cdd5362140b63c41ee457
- SHA256
  
  3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
- SHA512
  
  c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
- SSDEEP
  
  192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score

3^/10

discovery
behavioral5 behavioral6