agenttesla

General

Target

Payment Confirmation.tgz
Size

1.2MB
Sample

250120-lmvbrstjer
MD5

d7ad5711692f07aba871c91b168e908f
SHA1

12de4c53041bb3ddb233e27a66b797fb10a57b86
SHA256

6d6b9932fc109ad5e7cbb53ac022cf987b46674c6a635cee9821862cf777e8bc
SHA512

58c7298e52684f94c047d98bf865d79953a155c42395f593d886e1c23e15c12ea62ece8c28b4c235d508b19d26bd09e026b156115adf3ceb093ce757bbfff867
SSDEEP

12288:CBHBHL32sV3bJbKxCDmFBdva6Ux3ILBwZtrA3ZRrm9svcGg3QuseCW:2JLms1FbKxhFZuZhAfC9RGljW

Score

10^/10

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/

Targets

- Target
  
  Payment Confirmation.tgz
- Size
  
  1.2MB
- MD5
  
  d7ad5711692f07aba871c91b168e908f
- SHA1
  
  12de4c53041bb3ddb233e27a66b797fb10a57b86
- SHA256
  
  6d6b9932fc109ad5e7cbb53ac022cf987b46674c6a635cee9821862cf777e8bc
- SHA512
  
  58c7298e52684f94c047d98bf865d79953a155c42395f593d886e1c23e15c12ea62ece8c28b4c235d508b19d26bd09e026b156115adf3ceb093ce757bbfff867
- SSDEEP
  
  12288:CBHBHL32sV3bJbKxCDmFBdva6Ux3ILBwZtrA3ZRrm9svcGg3QuseCW:2JLms1FbKxhFZuZhAfC9RGljW
Score

1^/10
behavioral1 behavioral2
- Target
  
  sample
- Size
  
  524.5MB
- MD5
  
  07013d39312b83800b686896a921d4f1
- SHA1
  
  a04824a183bd32cde97f2f69305269672cf71b81
- SHA256
  
  2a0c6b887b654557d8fcfbc708d428007053cd9dfdf79385affd90d6d236d765
- SHA512
  
  b602950d266f664f6cffae73f660994724c2aea0f19cc2d398919c11bc7d5555be6958b251147340fe1d51aac71968595cd90b2ab381aa6b3a7339948bec2003
- SSDEEP
  
  12288:15O6WhRSUun9+kdKoVddva+UN3IFdSZHjA3tprg9eRcGsMok+y9pHSyKWE:i6Nn9+SKYZcZDAb09bGsMb+y9pH8
Score

1^/10
behavioral3 behavioral4
- Target
  
  Payment Confirmation.exe
- Size
  
  524.5MB
- MD5
  
  e179b1d770e32063f2d7161f9f3606bf
- SHA1
  
  35fe25d785cfc31c289a18efeb590f9e60665354
- SHA256
  
  1c67a2a529ff4a7873979a0235b75be6d0bfbbfb49395deb741cb938de94e8d1
- SHA512
  
  9007c3861576256ddda85284cb6ba19cb01da46209d1874a3b70204ba2b9ce87723ddcde8358e97460b70eca3fa255e9fda29531ee55eadb22ce18f1f7175b28
- SSDEEP
  
  12288:y5O6WhRSUun9+kdKoVddva+UN3IFdSZHjA3tprg9eRcGsMok+y9pHSyKWE:/6Nn9+SKYZcZDAb09bGsMb+y9pH8
Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan
- AgentTesla
  Agent Tesla is a remote access tool (RAT) written in visual basic.
  keylogger trojan stealer spyware agenttesla
- Agenttesla family
  agenttesla
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral5 behavioral6