agenttesla

General

Target

JaffaCakes118_392f0e8e6ed60e4e1c35bf1f6be5ec57
Size

338KB
Sample

250106-zcl5asxjds
MD5

392f0e8e6ed60e4e1c35bf1f6be5ec57
SHA1

72aff1f262792ec3e626888583c55549d395dcb7
SHA256

49b6ab1d5d071bdca6b3cfec673a258110848bc5beea2805d6b7e016731a4655
SHA512

a67341f726f1e0df2e1733cf3d4dbcbb6d950922b35df5c2ba1feec343dc668a28b3f9ee0a8eb9089fa3e04811acb868dc34021d38f2b9d1fb2a987d08410532
SSDEEP

6144:GBlL/VGeKGDuGyGNQuy55SVyvdhZJrfdX6qFck4o+v/WwE8jjlw1qA:EmPgmKSv+/WWjK1X

Score

10^/10

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument

Targets

- Target
  
  JaffaCakes118_392f0e8e6ed60e4e1c35bf1f6be5ec57
- Size
  
  338KB
- MD5
  
  392f0e8e6ed60e4e1c35bf1f6be5ec57
- SHA1
  
  72aff1f262792ec3e626888583c55549d395dcb7
- SHA256
  
  49b6ab1d5d071bdca6b3cfec673a258110848bc5beea2805d6b7e016731a4655
- SHA512
  
  a67341f726f1e0df2e1733cf3d4dbcbb6d950922b35df5c2ba1feec343dc668a28b3f9ee0a8eb9089fa3e04811acb868dc34021d38f2b9d1fb2a987d08410532
- SSDEEP
  
  6144:GBlL/VGeKGDuGyGNQuy55SVyvdhZJrfdX6qFck4o+v/WwE8jjlw1qA:EmPgmKSv+/WWjK1X
Score

10^/10

agenttesla collection credential_access discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- AgentTesla payload
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/aiuxmmjtmkz.dll
- Size
  
  19KB
- MD5
  
  586dd640c4a64cdf876ac0bfe48ad870
- SHA1
  
  8f9704a440ee2fb56b0bfd2a2f9a5b2a3fa685f0
- SHA256
  
  206c1772141cc0ae68d1a3a317c1b4e5b2ece540322c211b6a37d65f100114cd
- SHA512
  
  984100b0309b9d2f3cdf783697a497cea4675aee9b2c4529ef20afd6bdf011f1240044bfda2af2f9bb98b98c45b03c6d72e98dda2da8a958d36f3229c9a0dc62
- SSDEEP
  
  192:6z+aLflYnmPwn5488nq3lfstCTJ28WzKKMih6rmvIQb/Wj0J43UESslEUwvyX2Rm:6zJBYew5JDstCToJTIi/W2slE5vYQHG
Score

10^/10

agenttesla collection credential_access discovery keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- AgentTesla payload
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Suspicious use of SetThreadContext
behavioral3 behavioral4