agenttesla

General

Target

JaffaCakes118_69a6d16e563e335bad162c6750c0ce1807bb96ce12e54bc43af19f6458a0a791
Size

427KB
Sample

241229-qnslsasndm
MD5

cbfb1f4bcfc7c86b05aae71908f099ad
SHA1

25829bb82a1e5ca09a6c9a6924074168cf61bdde
SHA256

69a6d16e563e335bad162c6750c0ce1807bb96ce12e54bc43af19f6458a0a791
SHA512

f2c0968797da5dc22223291844dcf837ea5021ddd437dee0a8ec2b44a61ee3239d7dddadcbcabd4b6c543e479ac87266c4c051164f9c0381e755124310c91537
SSDEEP

12288:4u9/ut8+oktP7PPflPG11yha7vSdoC0I/V2RszYvt2R:l/oDlO+WvSD5NXYlS

Score

10^/10

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://78.138.105.142/
Port:
21
Username:
dollar
Password:
Samsaghir786

Targets

- Target
  
  14.ps1
- Size
  
  1.0MB
- MD5
  
  b0b8b6e578b962fdb4eb7478e17ffa62
- SHA1
  
  9bb4326a0ff26a586d6fe321e3180d6dea885d2e
- SHA256
  
  30155d3d4ccd6801ebca520516e1a3e758c7ea6181fea652befac855deeb7d66
- SHA512
  
  fc38e92e4a49523693e43e8f042efe6aa4d3a832de33ea2cc41fc4688924be185dc3b2de5d5474955f9e7d904724da08043739a1a661e0b099624343e691d1ca
- SSDEEP
  
  6144:m+LvE+CG46RmeHYB3uTEfheJ5f0N2dNVGQWo8tbRy7T5cZ8W+axNF9vguT6Ux3ZT:3KG+NHbxzrTTE1e7ihN9brEeDXzq
Score

7^/10

execution collection credential_access discovery persistence privilege_escalation stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  dollar1.ps1
- Size
  
  510KB
- MD5
  
  c42d82bfd897477aad6221016be9d6fa
- SHA1
  
  af3505c7bda32a32cff69f3afc4c676856d377cc
- SHA256
  
  1308763f21e50778f78dd3fd05b61367341cb52c7ca1b411a0d18610b20c9ede
- SHA512
  
  f1262f4c95aa5a853ce1f4d1d069c76d6f438c9ba2839cf093472531002c7886a619252be1769d5ebd725e35224e3c2f50bc8ade603ba98216b7ca508894083e
- SSDEEP
  
  6144:BHJz/Da4narEcyu0c2slSDp6SGxQ9KH+d2QSQ9OSk/RZSht5C5q+Zbe6gy/3be+c:BHhan0cx2ho4
Score

10^/10

execution agenttesla collection credential_access discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  ksdfgxc.ps1
- Size
  
  4KB
- MD5
  
  8d73265b13d4b577e77b0214f03dbac7
- SHA1
  
  4373f1204e35f84888dae970b207c8a938b78f8a
- SHA256
  
  2de00bb669b0693a28a2e85678761d7d972aa9f0694e87c6ad6db885281cc8d9
- SHA512
  
  5c82c9313e7f18683e38a0a1e2ff44763f85978770220378abb2562caf6fb90e931e6814a53a0fa41b7acbd9e752e7c4b5113595fdde4adc4abd9a97b4fe1921
- SSDEEP
  
  96:6ghajvvOcdR0lChG/HuSHk3FNgQfBZL0W9qgPHHNEA0lcw0lE:GrvOzMGx2FwW9qgPHHNEVEW
Score

3^/10

execution
behavioral5 behavioral6