agenttesla

General

Target

JaffaCakes118_05da915207fe2b7a54f238fee7828d3cf0cc0db0f0de7993b9ddafdf9077f3bb
Size

200KB
Sample

241224-taa2cs1lex
MD5

13991e82bc8cdb0b02c390faa8197f9d
SHA1

9c110ef10e4b4ae53cf3933e4de839a2d8f50bc7
SHA256

05da915207fe2b7a54f238fee7828d3cf0cc0db0f0de7993b9ddafdf9077f3bb
SHA512

750fae394893111c68350e84d061f5b6d585944511cdb98e9c1787cc1985444c0a359ab560b0aaeb5f9e2ca639c9c21d8f36272b1d6a227522dba4f024ca27ed
SSDEEP

3072:Iy1a5qq42NojV7lDIYNQ96yfyhp9S67+Ullg0KFirhU/PCd19zFbhms1rheKBRnO:NAGjn26Z7+Urg0KFisQF15rxBLOu/g

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.amssealing.com
Port:
587
Username:
[email protected]
Password:
ams@123%2029$

Targets

- Target
  
  3c783827c751d8155644f546b2d6b5306a2520fff907a962a669f3f86cf5c9fe.exe
- Size
  
  213KB
- MD5
  
  19711c7b13e7717d3e225bb8cf87a6eb
- SHA1
  
  eefec05b24b941ae4b0d24c3ae2f1c394aeee63c
- SHA256
  
  3c783827c751d8155644f546b2d6b5306a2520fff907a962a669f3f86cf5c9fe
- SHA512
  
  0486b2a6ccef06fd49961c3b105d2587e85df9cabc061fb23b4b8fabad6810245571f9948c824d960807f1d590abee8ac8c86d3404e2c2893d9b4ef6388d1040
- SSDEEP
  
  3072:WfJSq+ytGIon9KcSMiTPLqS5G7cLX+B61j/Ly3AtdwEDdlmcXbCdnXUCNlAYgVOM:MEa0NiT1DqKCWd7hMcX8kvUAwWiK
Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan upx
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Executes dropped EXE
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  araew.exe
- Size
  
  69KB
- MD5
  
  77bd81274a2c432284179bea00ea29c6
- SHA1
  
  92d5d6b2bcc4b5e9903105d3593c1eb83f8c0edd
- SHA256
  
  ea51a0a70ba6dd2f1b40c97fe8df313b9b7b0f49f172e3e925416c88049620af
- SHA512
  
  a26d004bbe48d9c8cf6bdb95ef801a07ff431c8bbdbfcbc0b7b4458e4ba42c82be1945291cc180d2ef4fbe54cc07dbe7678fdf43be61fa2e09cfecf327decf54
- SSDEEP
  
  1536:UhbuCqJfK4hzAFiYmIoiDCqM+JIeM7WdTzVPjd6JXBsWScdPI/F:yLOK4hzj1lqM+JIeM7WwJHP+F
Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan upx
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3 behavioral4